ID CVE-2018-1000180
Summary Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
References
Vulnerable Configurations
  • Bouncy Castle FIPS Java API 1.0.1
    cpe:2.3:a:bouncycastle:fips_java_api:1.0.1
  • Legion of the Bouncy Castle Java Cryptography API 1.54
    cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.54
  • Bouncy Castle Legion-of-the-bouncy-castle-java-crytography-api 1.55
    cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.55
  • Bouncy Castle Legion-of-the-bouncy-castle-java-crytography-api 1.56
    cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56
  • Bouncy Castle Legion-of-the-bouncy-castle-java-crytography-api 1.57
    cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.57
  • Bouncy Castle Legion-of-the-bouncy-castle-java-crytography-api 1.58
    cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.58
  • Bouncy Castle Legion-of-the-bouncy-castle-java-crytography-api 1.59
    cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.59
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Oracle API Gateway 11.1.2.4.0
    cpe:2.3:a:oracle:api_gateway:11.1.2.4.0
  • Oracle Business Process Management Suite 11.1.1.9.0
    cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0
  • Oracle Business Process Management Suite 12.1.3.0.0
    cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0
  • Oracle Business Process Management Suite 12.2.1.3.0
    cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0
  • Oracle Business Transaction Management 12.1.0
    cpe:2.3:a:oracle:business_transaction_management:12.1.0
  • cpe:2.3:a:oracle:communications_application_session_controller:3.7.1
    cpe:2.3:a:oracle:communications_application_session_controller:3.7.1
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8.0
    cpe:2.3:a:oracle:communications_application_session_controller:3.8.0
  • Oracle Enterprise Repository 12.1.3.0.0
    cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0
  • Oracle Managed File Transfer 12.1.3.0.0
    cpe:2.3:a:oracle:managed_file_transfer:12.1.3.0.0
  • Oracle Managed File Transfer 12.2.1.3.0
    cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0
  • Oracle PeopleSoft Enterprise PeopleTools 8.55
    cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55
  • Oracle PeopleSoft Enterprise PeopleTools 8.56
    cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56
  • Oracle PeopleSoft Enterprise PeopleTools 8.57
    cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57
  • cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.8.1
    cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.8.1
  • Oracle Retail Xstore Point Of Service 7.0
    cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0
  • Oracle Retail Xstore Point Of Service 7.1
    cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1
  • Oracle SOA Suite 12.1.3.0.0
    cpe:2.3:a:oracle:soa_suite:12.1.3.0.0
  • Oracle SOA Suite 12.2.1.3.0
    cpe:2.3:a:oracle:soa_suite:12.2.1.3.0
  • Oracle WebCenter Portal 11.1.1.9.0
    cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0
  • Oracle WebCenter Portal 12.2.1.3.0
    cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
  • Oracle Weblogic Server 12.1.3.0.0
    cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0
  • cpe:2.3:a:netapp:oncommand_workflow_automation
    cpe:2.3:a:netapp:oncommand_workflow_automation
  • Red Hat Virtualization 4.0
    cpe:2.3:o:redhat:virtualization:4.0
  • cpe:2.3:o:redhat:virtualization:4.2
    cpe:2.3:o:redhat:virtualization:4.2
  • Red Hat JBoss Enterprise Application Platform (EAP) 7.1.0
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0
  • Red Hat Enterprise Linux 6.0
    cpe:2.3:o:redhat:enterprise_linux:6.0
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-327
CAPEC
  • Encryption Brute Forcing
    An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
  • Cryptanalysis
    Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: 1. Total Break - Finding the secret key 2. Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key. 3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known 4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context.
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4233.NASL
    description It was discovered that the low-level interface to the RSA key pair generator of Bouncy Castle (a Java implementation of cryptographic algorithms) could perform less Miller-Rabin primality tests than expected.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110665
    published 2018-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110665
    title Debian DSA-4233-1 : bouncycastle - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2643.NASL
    description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1590658, BZ#1591095, BZ#1591096, BZ#1592655, BZ# 1594636, BZ#1597534, BZ#1612683) Red Hat would like to thank the PostgreSQL project for reporting CVE-2018-10915 and Ammarit Thongthua (Deloitte Thailand Pentest team) and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting CVE-2018-1067. Upstream acknowledges Andrew Krasichkov as the original reporter of CVE-2018-10915. Security fixes : * vulnerability: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862) * vulnerability: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039) * vulnerability: postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) * vulnerability: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of ) (CVE-2018-1067, CVE-2016-4993) * vulnerability: undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114) * vulnerability: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * vulnerability: bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 117324
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117324
    title RHEL 7 : Virtualization (RHSA-2018:2643)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_FE93803C883F11E89F0C001B216D295B.NASL
    description The Legion of the Bouncy Castle reports : Release 1.60 is now available for download. CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API. CVE-2018-1000613: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information.
    last seen 2019-02-23
    modified 2019-02-22
    plugin id 111092
    published 2018-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111092
    title FreeBSD : Several Security Defects in the Bouncy Castle Crypto APIs (fe93803c-883f-11e8-9f0c-001b216d295b)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1043.NASL
    description This update for bouncycastle fixes the following security issue : - CVE-2018-1000180: Fixed flaw in the Low-level interface to RSA key pair generator. RSA Key Pairs generated in low-level API with added certainty may had less M-R tests than expected (bsc#1096291).
    last seen 2019-02-21
    modified 2018-09-25
    plugin id 117691
    published 2018-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117691
    title openSUSE Security Update : bouncycastle (openSUSE-2018-1043)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2424.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180) * cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services (CVE-2017-12624) * wildfly: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (CVE-2018-10862) * cxf-core: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 112030
    published 2018-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112030
    title RHEL 7 : JBoss EAP (RHSA-2018:2424)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2423.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180) * cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services (CVE-2017-12624) * wildfly: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (CVE-2018-10862) * cxf-core: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 112029
    published 2018-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112029
    title RHEL 6 : JBoss EAP (RHSA-2018:2423)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-CECED55C5E.NASL
    description Security fixes for CVE-2017-13098 and CVE-2018-1000180 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120804
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120804
    title Fedora 28 : bouncycastle (2018-ceced55c5e)
  • NASL family Misc.
    NASL id ORACLE_WEBLOGIC_SERVER_CPU_JAN_2019.NASL
    description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype. (CVE-2015-1832) - Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. (CVE-2018-1000180) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2019-2452) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. (CVE-2019-2418) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). The supported version that is affected is 10.3.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. (CVE-2019-2395) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Application Container - JavaEE). The supported version that is affected is 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2019-2441) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Deployment). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. (CVE-2019-2398) - Legion of the Bouncy Castle Java Cryptography APIs versions prior to 1.60 are affected by CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') flaw in XMSS/XMSS^MT private key deserialization routines. This allows an attacker to force execution of arbitrary code. Successful attack could be conducted via usage of a handcrafted private key object with references to unexpected classes which allow malicious commands execution. (CVE-2018-1000613) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. (CVE-2018-3246) - In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work. (CVE-2018-1313)
    last seen 2019-02-21
    modified 2019-01-17
    plugin id 121226
    published 2019-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121226
    title Oracle WebLogic Server Multiple Vulnerabilities (January 2019 CPU)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-DA9FE79871.NASL
    description Security fixes for CVE-2017-13098 and CVE-2018-1000180 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-04
    plugin id 110599
    published 2018-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110599
    title Fedora 27 : bouncycastle (2018-da9fe79871)
redhat via4
advisories
  • rhsa
    id RHSA-2018:2423
  • rhsa
    id RHSA-2018:2424
  • rhsa
    id RHSA-2018:2425
  • rhsa
    id RHSA-2018:2428
  • rhsa
    id RHSA-2018:2643
  • rhsa
    id RHSA-2018:2669
  • rhsa
    id RHSA-2019:0877
refmap via4
bid 106567
confirm
debian DSA-4233
misc
Last major update 05-06-2018 - 09:29
Published 05-06-2018 - 09:29
Last modified 02-10-2019 - 20:03
Back to Top