Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2019-00323

Опубликовано: 05 июн. 2018
Источник: fstec
CVSS3: 7.5
CVSS2: 5
EPSS Низкий

Описание

Уязвимость метода RsaKeyPairGenerator::getNumberOfIterations() библиотеки Bouncy Castle связана с недостатками использования криптографических ключей. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемым данным с использованием сетевых протоколов (HTTP, HTTPS)

Вендор

Oracle Corp.
Сообщество свободного программного обеспечения
Novell Inc.
Legion of the Bouncy Castle Inc.
Red Hat Inc.
Siemens AG

Наименование ПО

API Gateway
Debian GNU/Linux
OpenSUSE Leap
Enterprise Repository
Business Process Management Suite
WebLogic Server
PeopleSoft Enterprise PeopleTools
Bouncy Castle
WebCenter Portal
Managed File Transfer
Red Hat Virtualization
Enterprise Manager Base Platform
Retail Xstore Point of Service
Oracle Utilities Network Management System
Communications Converged Application Server
Communications WebRTC Session Controller
Communications Application Session Controller
Business Transaction Management
SOA Suite
Red Hat Enterprise Linux
Red Hat Satellite
Oracle Data Integrator
Jboss Fuse
OpenShift Application Runtimes
Red Hat JBoss Fuse
Enterprise Manager for Fusion Middleware
Red Hat Single Sign-On
Red Hat JBoss EAP
Banking Platform
Communications Diameter Signaling Router
Bouncy Castle FIPS Java API (BC-FJA)
Oracle Retail Convenience and Fuel POS Software
Oracle Communications Convergence
JBoss Enterprise Application Platform

Версия ПО

11.1.2.4.0 (API Gateway)
9 (Debian GNU/Linux)
42.3 (OpenSUSE Leap)
12.1.3.0.0 (Enterprise Repository)
11.1.1.9.0 (Business Process Management Suite)
12.1.3.0.0 (Business Process Management Suite)
12.2.1.3.0 (Business Process Management Suite)
12.2.1.3 (WebLogic Server)
8.55 (PeopleSoft Enterprise PeopleTools)
8.56 (PeopleSoft Enterprise PeopleTools)
8.57 (PeopleSoft Enterprise PeopleTools)
до 1.54 включительно (Bouncy Castle)
12.1.3.0.0 (WebCenter Portal)
12.2.1.3.0 (Managed File Transfer)
11.1.1.9.0 (WebCenter Portal)
12.2.1.3.0 (WebCenter Portal)
4 (Red Hat Virtualization)
13.2.0.0.0 (Enterprise Manager Base Platform)
13.3.0.0.0 (Enterprise Manager Base Platform)
7.0 (Retail Xstore Point of Service)
12.1.3.0.0 (Managed File Transfer)
12.1.0.5.0 (Enterprise Manager Base Platform)
1.12.0.3 (Oracle Utilities Network Management System)
до 7.0.0.1 (Communications Converged Application Server)
до 7.2 (Communications WebRTC Session Controller)
3.7.1 (Communications Application Session Controller)
3.8.0 (Communications Application Session Controller)
12.1.0 (Business Transaction Management)
12.1.3.0.0 (SOA Suite)
12.2.1.3.0 (SOA Suite)
8 (Red Hat Enterprise Linux)
8 (Debian GNU/Linux)
6.0 (Red Hat Satellite)
12.2.1.3.0 (Oracle Data Integrator)
7 (Jboss Fuse)
7.1 (Retail Xstore Point of Service)
1.0 (OpenShift Application Runtimes)
6 (Red Hat JBoss Fuse)
13.2.0.0 (Enterprise Manager for Fusion Middleware)
13.3.0.0 (Enterprise Manager for Fusion Middleware)
7.2 (Red Hat Single Sign-On)
7.1 (Red Hat JBoss EAP)
2.6.0 (Banking Platform)
2.6.1 (Banking Platform)
2.6.2 (Banking Platform)
8.0.0 (Communications Diameter Signaling Router)
8.1.0 (Communications Diameter Signaling Router)
8.2.0 (Communications Diameter Signaling Router)
8.2.1 (Communications Diameter Signaling Router)
от 1.54 до 1.59 включительно (Bouncy Castle)
от 1.0 до 1.0.1 включительно (Bouncy Castle FIPS Java API (BC-FJA))
2.8.1 (Oracle Retail Convenience and Fuel POS Software)
2.3.0.0 (Oracle Utilities Network Management System)
2.3.0.1 (Oracle Utilities Network Management System)
2.3.0.2 (Oracle Utilities Network Management System)
3.0.2 (Oracle Communications Convergence)
7.1 for RHEL 6 (JBoss Enterprise Application Platform)
7.1 for RHEL 7 (JBoss Enterprise Application Platform)

Тип ПО

ПО программно-аппаратных средств защиты
Операционная система
Прикладное ПО информационных систем
Сетевое программное средство
Программное средство защиты
ПО виртуализации/ПО виртуального программно-аппаратного средства
ПО сетевого программно-аппаратного средства
Сетевое средство

Операционные системы и аппаратные платформы

Сообщество свободного программного обеспечения Debian GNU/Linux 9
Novell Inc. OpenSUSE Leap 42.3
Red Hat Inc. Red Hat Enterprise Linux 8
Сообщество свободного программного обеспечения Debian GNU/Linux 8

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,5)

Возможные меры по устранению уязвимости

Использование рекомендаций:
https://www.bouncycastle.org/jira/browse/BJA-694
Для OpenSUSE:
https://www.suse.com/security/cve/CVE-2018-1000180/
Для Oracle:
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Для Debian GNU/Linux:
https://www.debian.org/security/2018/dsa-4233
https://www.debian.org/security/2018/dsa-4233
Для продуктов Red Hat:
https://access.redhat.com/security/cve/CVE-2018-1000180

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 49%
0.00256
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2018-1000180

CVSS3: 7.5
ubuntu
больше 7 лет назад

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

redhat логотип

CVE-2018-1000180

CVSS3: 4.8
redhat
почти 8 лет назад

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

nvd логотип

CVE-2018-1000180

CVSS3: 7.5
nvd
больше 7 лет назад

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

debian логотип

CVE-2018-1000180

CVSS3: 7.5
debian
больше 7 лет назад

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier h ...

suse-cvrf логотип

openSUSE-SU-2018:2820-1

suse-cvrf
больше 7 лет назад

Security update for bouncycastle

EPSS

Процентиль: 49%
0.00256
Низкий

7.5 High

CVSS3

5 Medium

CVSS2