Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1000613

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Published

2018-07-09T20:29:00.283

Last Modified

2025-05-12T17:37:16.527

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-470
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application bouncycastle bc-java < 1.60 Yes
Application netapp oncommand_workflow_automation - Yes
Operating System opensuse leap 15.1 Yes
Application oracle api_gateway 11.1.2.4.0 Yes
Application oracle banking_platform 2.6.0 Yes
Application oracle banking_platform 2.6.1 Yes
Application oracle banking_platform 2.6.2 Yes
Application oracle business_process_management_suite 11.1.1.9.0 Yes
Application oracle business_process_management_suite 12.1.3.0.0 Yes
Application oracle business_process_management_suite 12.2.1.3.0 Yes
Application oracle business_transaction_management 12.1.0 Yes
Application oracle communications_application_session_controller 3.7.1 Yes
Application oracle communications_application_session_controller 3.8.0 Yes
Application oracle communications_converged_application_server < 7.0.0.1 Yes
Application oracle communications_converged_application_server 7.0.0.1 Yes
Application oracle communications_convergence 3.0.2 Yes
Application oracle communications_diameter_signaling_router 8.0.0 Yes
Application oracle communications_diameter_signaling_router 8.1 Yes
Application oracle communications_diameter_signaling_router 8.2 Yes
Application oracle communications_diameter_signaling_router 8.2.1 Yes
Application oracle communications_webrtc_session_controller < 7.2 Yes
Application oracle communications_webrtc_session_controller 7.2 Yes
Application oracle data_integrator 12.2.1.3.0 Yes
Application oracle enterprise_manager_base_platform 12.1.0.5.0 Yes
Application oracle enterprise_manager_base_platform 13.2.0.0 Yes
Application oracle enterprise_manager_base_platform 13.3.0.0 Yes
Application oracle enterprise_manager_for_fusion_middleware 13.2.0.0 Yes
Application oracle enterprise_manager_for_fusion_middleware 13.3.0.0 Yes
Application oracle enterprise_repository 11.1.1.7.0 Yes
Application oracle enterprise_repository 12.1.3.0.0 Yes
Application oracle managed_file_transfer 12.1.3.0.0 Yes
Application oracle managed_file_transfer 12.2.1.3.0 Yes
Application oracle peoplesoft_enterprise_peopletools 8.55 Yes
Application oracle peoplesoft_enterprise_peopletools 8.56 Yes
Application oracle peoplesoft_enterprise_peopletools 8.57 Yes
Application oracle retail_convenience_and_fuel_pos_software 2.8.1 Yes
Application oracle retail_xstore_point_of_service 7.0 Yes
Application oracle retail_xstore_point_of_service 7.1 Yes
Application oracle soa_suite 12.1.3.0.0 Yes
Application oracle soa_suite 12.2.1.3.0 Yes
Application oracle utilities_network_management_system 1.12.0.3 Yes
Application oracle utilities_network_management_system 2.3.0.0 Yes
Application oracle utilities_network_management_system 2.3.0.1 Yes
Application oracle utilities_network_management_system 2.3.0.2 Yes
Application oracle webcenter_portal 11.1.1.9.0 Yes
Application oracle webcenter_portal 12.2.1.3.0 Yes
Application oracle weblogic_server 12.2.1.3 Yes
References