Today, the ROBOT Attack on TLS was published (https://robotattack.org).
It is actually the return of the Bleichenbacher attack on RSA key
exchange as used in TLS.
BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, were found to be
vulnerable due to a weak Bleichenbacher oracle when any TLS cipher suite
using RSA key exchange was negotiated. This specifically includes
servers using the BCJSSE provider in its default configuration.
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions
The older TLS implementation (in the org.bouncycastle.crypto.tls
package) is not vulnerable. The new implementation (in the
org.bouncycastle.tls package) is vulnerable if configured to use the
JcaTlsCrypto implementation of TlsCrypto, but not if using BcTlsCrypto.
The BCJSSE provider always uses JcaTlsCrypto and so is vulnerable when
RSA cipher suites are negotiated.
(Also the C# TLS implementation is not vulnerable.)
For FIPS users, the issue is fixed in
We recommend all FIPS users upgrade as soon as possible.
For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
and then upgrade to the full 1.59 release as soon as it is available.
If continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.