CVE-2018-1000180
Description
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bouncy Castle's low-level RSA key pair generator may apply fewer Miller-Rabin primality tests than specified, reducing the certainty of generated keys.
Vulnerability
A flaw exists in the low-level interface to the RSA key pair generator in Bouncy Castle BC 1.54 through 1.59 and BC-FJA 1.0.0 through 1.0.1 (and earlier). When generating RSA keys with added certainty via the low-level API, the implementation may perform fewer Miller–Rabin primality tests than requested, potentially yielding composite numbers that are incorrectly identified as prime. This issue is distinct from the high-level KeyPairGenerator path [1][2][3].
Exploitation
An attacker does not need special network access or authentication; the vulnerability is triggered during key generation itself. If an application uses the low-level RSA key generation API with explicit certainty and relies on the strength of the generated primes, the reduced testing could produce a weak RSA modulus. An attacker would need to obtain such a key (e.g., through a public key certificate or other exposed public key) and then factor it to recover the private key. The precise conditions and attacker steps are not further detailed in the available references [1][3].
Impact
Successful exploitation allows an attacker to factor the RSA modulus derived from insufficiently tested primes. This compromises the confidentiality and integrity of communications or data protected by that key pair, potentially leading to impersonation, decryption, or signature forgery. The achieved privilege level depends on the role of the compromised key [3].
Mitigation
The fix is included in Bouncy Castle version 1.60 beta 4 and later, and BC-FJA version 1.0.2 and later. Users should update to these or newer versions. Red Hat has released updated packages (e.g., eap7-bouncycastle-1.56.0-5.redhat_3.1.ep7) as part of RHSA-2018:2423, RHSA-2018:2424, and RHSA-2018:2669 covering Red Hat JBoss EAP and Fuse products [1][2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.bouncycastle:bcprov-jdk14Maven | < 1.60 | 1.60 |
org.bouncycastle:bcprov-jdk15Maven | < 1.60 | 1.60 |
org.bouncycastle:bcprov-jdk15onMaven | < 1.60 | 1.60 |
Affected products
4- ghsa-coords4 versionspkg:maven/org.bouncycastle/bcprov-jdk14pkg:maven/org.bouncycastle/bcprov-jdk15pkg:maven/org.bouncycastle/bcprov-jdk15onpkg:rpm/opensuse/bouncycastle&distro=openSUSE%20Tumbleweed
< 1.60+ 3 more
- (no CPE)range: < 1.60
- (no CPE)range: < 1.60
- (no CPE)range: < 1.60
- (no CPE)range: < 1.68-3.2
Patches
222467b6e8fe1BJA-694 minor tweak to avoid method signature change
1 file changed · +4 −4
core/src/main/java/org/bouncycastle/crypto/generators/RSAKeyPairGenerator.java+4 −4 modified@@ -157,8 +157,6 @@ public AsymmetricCipherKeyPair generateKeyPair() */ protected BigInteger chooseRandomPrime(int bitlength, BigInteger e, BigInteger sqrdBound) { - int iterations = getNumberOfIterations(bitlength, param.getCertainty()); - for (int i = 0; i != 5 * bitlength; i++) { BigInteger p = new BigInteger(bitlength, 1, param.getRandom()); @@ -173,7 +171,7 @@ protected BigInteger chooseRandomPrime(int bitlength, BigInteger e, BigInteger s continue; } - if (!isProbablePrime(p, iterations)) + if (!isProbablePrime(p)) { continue; } @@ -189,8 +187,10 @@ protected BigInteger chooseRandomPrime(int bitlength, BigInteger e, BigInteger s throw new IllegalStateException("unable to generate prime number for RSA key"); } - protected boolean isProbablePrime(BigInteger x, int iterations) + protected boolean isProbablePrime(BigInteger x) { + int iterations = getNumberOfIterations(x.bitLength(), param.getCertainty()); + /* * Primes class for FIPS 186-4 C.3 primality checking */
73780ac522b7BJA-694 cleaned up primality test
1 file changed · +4 −4
core/src/main/java/org/bouncycastle/crypto/generators/RSAKeyPairGenerator.java+4 −4 modified@@ -20,12 +20,10 @@ public class RSAKeyPairGenerator private static final BigInteger ONE = BigInteger.valueOf(1); private RSAKeyGenerationParameters param; - private int iterations; public void init(KeyGenerationParameters param) { this.param = (RSAKeyGenerationParameters)param; - this.iterations = getNumberOfIterations(this.param.getStrength(), this.param.getCertainty()); } public AsymmetricCipherKeyPair generateKeyPair() @@ -159,6 +157,8 @@ public AsymmetricCipherKeyPair generateKeyPair() */ protected BigInteger chooseRandomPrime(int bitlength, BigInteger e, BigInteger sqrdBound) { + int iterations = getNumberOfIterations(bitlength, param.getCertainty()); + for (int i = 0; i != 5 * bitlength; i++) { BigInteger p = new BigInteger(bitlength, 1, param.getRandom()); @@ -173,7 +173,7 @@ protected BigInteger chooseRandomPrime(int bitlength, BigInteger e, BigInteger s continue; } - if (!isProbablePrime(p)) + if (!isProbablePrime(p, iterations)) { continue; } @@ -189,7 +189,7 @@ protected BigInteger chooseRandomPrime(int bitlength, BigInteger e, BigInteger s throw new IllegalStateException("unable to generate prime number for RSA key"); } - protected boolean isProbablePrime(BigInteger x) + protected boolean isProbablePrime(BigInteger x, int iterations) { /* * Primes class for FIPS 186-4 C.3 primality checking
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
24- access.redhat.com/errata/RHSA-2018:2423ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2424ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2425ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2428ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2643ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2669ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:0877ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-xqj7-j8j5-f2xrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000180ghsaADVISORY
- www.debian.org/security/2018/dsa-4233ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securityfocus.com/bid/106567ghsavdb-entryx_refsource_BIDWEB
- github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55adghsax_refsource_CONFIRMWEB
- github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20190204-0003ghsaWEB
- security.netapp.com/advisory/ntap-20190204-0003/mitrex_refsource_CONFIRM
- www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iterations-for-mr-primality-testghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.