Ubuntu.comUB:CVE-2016-2427CVE-2016-2427
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
23.6%
DISPUTED The AES-GCM specification in RFC 5084, as used in Android
5.x and 6.x, recommends 12 octets for the aes-ICVlen parameter field, which
might make it easier for attackers to defeat a cryptographic protection
mechanism and discover an authentication key via a crafted application, aka
internal bug 26234568. NOTE: The vendor disputes the existence of this
potential issue in Android, stating โThis CVE was raised in error: it
referred to the authentication tag size in GCM, whose default according to
ASN.1 encoding (12 bytes) can lead to vulnerabilities. After careful
consideration, it was decided that the insecure default value of 12 bytes
was a default only for the encoding and not default anywhere else in
Android, and hence no vulnerability existed.โ
Notes
| Author | Note |
|---|---|
| mdeslaur | no reverse depends in main as of 2015-05-05, no equivalent fix in bouncycastle git repo, this is an android issue, and is disputed |
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
23.6%