CVE Tools
Sign in

CVE-2016-1000339

Published: Jun 4, 2018Updated: May 12, 2025 Sources: CVE List NVD GHSACWE-310
NVD MITRE
5.3CVSSMEDIUM
EPSS Score
2.7%
Top 16.2%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-310

Affected Products

n/an/a
org.bouncycastle:bcprov-jdk14MavenOSS Libraries
org.bouncycastle:bcprov-jdk15MavenOSS Libraries
org.bouncycastle:bcprov-jdk15onMavenOSS Libraries
bc-javabouncycastle
Library
OSS Libraries / generic-library
mavenpackage-ecosystemOSS Libraries
bouncycastleoss-projectOSS Librariesaka bouncycastle
and 1 more affected products View all →

Exploitability

Official Patch Available

References

https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
lists.debian.org
https://access.redhat.com/errata/RHSA-2018:2669
access.redhat.com
https://usn.ubuntu.com/3727-1/
usn.ubuntu.com
and 9 more references View all →

Timeline

Published
Jun 4, 2018
Last Updated
May 12, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2016-1000339 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows