CVE-2020-28052: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Legion of the Bouncy Castle BC Java versions 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method contained a flaw that compared incorrect data when checking passwords, allowing incorrect passwords to be accepted as valid matches with previously hashed ones that were different (NVD, BC Wiki).

The vulnerability exists in the OpenBSDBCrypt.doCheckPassword method which implements a flawed verification routine. The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match. This means that passwords that result in hashes that don't contain bytes between 0x00 and 0x3B match every other password hash that don't contain them. This flaw allows bypassing the password check without requiring a byte-for-byte match with the stored hash value (Synopsys).

The vulnerability allows attackers to bypass password checks in applications that use Bouncy Castle's OpenBSDBCrypt class for authentication. Research shows that 20% of tested passwords could be bypassed within 1,000 attempts, and all password hashes can potentially be bypassed with enough attempts. In some rare cases, password hashes can be bypassed with any input (Synopsys).

Software vendors and users of the library are strongly encouraged to upgrade to Bouncy Castle Java release 1.67 or later, which fixes this vulnerability. For users who must continue using versions 1.65 or 1.66, they can implement their own password checking using the code given in the doCheckPassword() method from the official repository (BC Wiki).

Multiple major software projects and organizations responded to this vulnerability by updating their dependencies. Apache projects including Druid, Kafka, and Karaf issued updates to address the vulnerability. Oracle included fixes for this vulnerability in multiple Critical Patch Updates (Oracle CPU).