Vulnerability Name:

CVE-2018-11058 (CCN-149085)

Assigned:2018-08-28
Published:2018-08-28
Updated:2022-04-18
Summary:RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6 (in 4.1.x), and RSA BSAFE Crypto-C Micro Edition, version prior to 4.0.5.3 (in 4.0.x) contain a Buffer Over-Read vulnerability when parsing ASN.1 data. A remote attacker could use maliciously constructed ASN.1 data that would result in such issue.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-125
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2018-11058

Source: CCN
Type: Dell EMC Identifier: DSA-2018-128
RSA BSAFE Micro Edition Suite and Crypto-C Micro Edition Multiple Security Vulnerabilities

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20180828 DSA-2018-128: RSA BSAFE Micro Edition Suite and Crypto-C Micro Edition Multiple Security Vulnerabilities

Source: CCN
Type: Oracle CPUJul2019
Oracle Critical Patch Update Advisory - July 2019

Source: BID
Type: Broken Link
108106

Source: XF
Type: UNKNOWN
rsa-bsafe-cve201811058-dos(149085)

Source: CCN
Type: Oracle CPUApr2020
Oracle Critical Patch Update Advisory - April 2020

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUJan2020
Oracle Critical Patch Update Advisory - January 2020

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html

Source: CCN
Type: Oracle CPUJul2020
Oracle Critical Patch Update Advisory - July 2020

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: CCN
Type: Oracle CPUOct2020
Oracle Critical Patch Update Advisory - October 2020

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dell:bsafe:*:*:*:*:micro_edition_suite:*:*:* (Version >= 4.1.0 and < 4.1.6)
  • OR cpe:/a:dell:bsafe_crypto-c:*:*:*:*:micro:*:*:* (Version >= 4.0.0 and < 4.0.5.3)
  • OR cpe:/a:dell:bsafe:*:*:*:*:micro_edition_suite:*:*:* (Version >= 4.0.0 and < 4.0.11)

    • Configuration 2:
  • cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:core_rdbms:11.2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:core_rdbms:12.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:core_rdbms:12.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:core_rdbms:18c:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:core_rdbms:19c:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:goldengate_application_adapters:12.3.2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:real_user_experience_insight:13.1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:real_user_experience_insight:13.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:real_user_experience_insight:13.3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:16.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:security_service:11.1.1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:security_service:12.1.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:security_service:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:* (Version < 18.1.4.1.0)

    • Configuration CCN 1:
  • cpe:/a:oracle:database_server:11.2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:12.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:18:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:19c:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    dell bsafe *
    dell bsafe crypto-c *
    dell bsafe *
    oracle application testing suite 13.3.0.1
    oracle communications analytics 12.1.1
    oracle communications ip service activator 7.3.0
    oracle communications ip service activator 7.4.0
    oracle core rdbms 11.2.0.4
    oracle core rdbms 12.1.0.2
    oracle core rdbms 12.2.0.1
    oracle core rdbms 18c
    oracle core rdbms 19c
    oracle enterprise manager ops center 12.3.3
    oracle enterprise manager ops center 12.4.0
    oracle goldengate application adapters 12.3.2.1.0
    oracle jd edwards enterpriseone tools 9.2
    oracle real user experience insight 13.1.2.1
    oracle real user experience insight 13.2.3.1
    oracle real user experience insight 13.3.1.0
    oracle retail predictive application server 15.0.3
    oracle retail predictive application server 16.0.3.0
    oracle security service 11.1.1.9.0
    oracle security service 12.1.3.0.0
    oracle security service 12.2.1.3.0
    oracle timesten in-memory database *
    oracle database server 11.2.0.4
    oracle database server 12.1.0.2
    oracle weblogic server 10.3.6.0.0
    oracle weblogic server 12.1.3.0.0
    oracle jd edwards enterpriseone tools 9.2
    oracle weblogic server 12.2.1.3.0
    oracle peoplesoft enterprise peopletools 8.56
    oracle database server 12.2.0.1
    oracle enterprise manager ops center 12.3.3
    oracle retail predictive application server 15.0.3
    oracle database server 18
    oracle peoplesoft enterprise peopletools 8.57
    oracle application testing suite 13.3.0.1
    oracle database server 19c
    oracle enterprise manager ops center 12.4.0
    oracle retail predictive application server 16.0.3