Vulnerability Name: CVE-2019-17359 (CCN-168581) Assigned: 2019-10-08 Published: 2019-10-08 Updated: 2022-10-07 Summary: The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Low
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
Vulnerability Type: CWE-770 Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2019-17359 bouncycastle-cve201917359-dos(168581) [tomee-commits] 20200320 [jira] [Assigned] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability [tomee-commits] 20200320 [jira] [Commented] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability [tomee-commits] 20200320 [jira] [Created] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability [tomee-commits] 20200320 [jira] [Updated] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability [tomee-commits] 20200519 [jira] [Resolved] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability [tomee-commits] 20200519 [jira] [Updated] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability [tomee-commits] 20200322 [jira] [Updated] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability [tomee-commits] 20200323 [jira] [Commented] (TOMEE-2788) TomEE plus is affected by CVE-2019-17359 (BDSA-2019-3168) vulnerability https://security.netapp.com/advisory/ntap-20191024-0006/ The Legion of the Bouncy Castle https://www.bouncycastle.org/latest_releases.html https://www.bouncycastle.org/releasenotes.html App Connect for Manufacturing 2.0 is affected by vulnerabilities of ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.6 (CVE-2019-17359) Multiple vulnerability issues affect IBM Spectrum Symphony 7.3.1 Multiple vulnerability issues affect IBM Spectrum Conductor 2.5.0 Vulnerability in Bouncy Castle affect Apache Solr shipped IBM Operations Analytics - Log Analysis Analysis (CVE-2019-17359) IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) Oracle Critical Patch Update Advisory - April 2020 N/A Oracle Critical Patch Update Advisory - January 2020 https://www.oracle.com/security-alerts/cpujan2020.html Oracle Critical Patch Update Advisory - January 2021 https://www.oracle.com/security-alerts/cpujan2021.html Oracle Critical Patch Update Advisory - July 2020 https://www.oracle.com/security-alerts/cpujul2020.html Oracle Critical Patch Update Advisory - October 2020 https://www.oracle.com/security-alerts/cpuoct2020.html Vulnerable Configuration: Configuration 1 :cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.63:*:*:*:*:*:*:* Configuration 2 :cpe:/a:apache:tomee:7.0.7:*:*:*:*:*:*:* OR cpe:/a:apache:tomee:7.1.2:*:*:*:*:*:*:* OR cpe:/a:apache:tomee:8.0.1:*:*:*:*:*:*:* Configuration 3 :cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* OR cpe:/a:netapp:service_level_manager:-:*:*:*:*:*:*:* OR cpe:/a:netapp:oncommand_api_services:-:*:*:*:*:*:*:* OR cpe:/a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:* (Version >= 7.3 OR cpe:/a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.5 OR cpe:/a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:* (Version >= 7.3 Configuration 4 :cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:soa_suite:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.2) OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.2) OR cpe:/a:oracle:peoplesoft_enterprise_hcm_global_payroll_switzerland:9.2:*:*:*:*:*:*:* OR cpe:/a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_convergence:*:*:*:*:*:*:*:* (Version >= 3.0.1.0 and <= 3.0.2.1) OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:soa_suite:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (Version >= 8.0.6 and <= 8.0.9) OR cpe:/a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.1:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:soa_suite:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:* Oval Definitions BACK
bouncycastle legion-of-the-bouncy-castle-java-crytography-api 1.63
apache tomee 7.0.7
apache tomee 7.1.2
apache tomee 8.0.1
netapp oncommand workflow automation -
netapp service level manager -
netapp oncommand api services -
netapp active iq unified manager *
netapp active iq unified manager *
netapp active iq unified manager *
oracle flexcube private banking 12.1.0
oracle flexcube private banking 12.0.0
oracle peoplesoft enterprise peopletools 8.56
oracle hospitality guest access 4.2.0
oracle weblogic server 12.2.1.3.0
oracle webcenter portal 12.2.1.3.0
oracle webcenter portal 11.1.1.9.0
oracle business process management suite 12.2.1.3.0
oracle soa suite 12.2.1.3.0
oracle data integrator 12.2.1.4.0
oracle communications session route manager *
oracle communications diameter signaling router *
oracle peoplesoft enterprise hcm global payroll switzerland 9.2
oracle business process management suite 12.2.1.4.0
oracle communications convergence *
oracle retail xstore point of service 18.0.1
oracle peoplesoft enterprise peopletools 8.57
oracle peoplesoft enterprise peopletools 8.58
oracle webcenter portal 12.2.1.4.0
oracle soa suite 12.2.1.4.0
oracle managed file transfer 12.2.1.3.0
oracle managed file transfer 12.2.1.4.0
oracle financial services analytical applications infrastructure *
oracle weblogic server 12.2.1.4.0
oracle weblogic server 12.2.1.3.0
oracle flexcube private banking 12.0
oracle flexcube private banking 12.1
oracle hospitality guest access 4.2.0
oracle peoplesoft enterprise peopletools 8.56
oracle webcenter portal 11.1.1.9.0
oracle webcenter portal 12.2.1.3.0
oracle soa suite 12.2.1.3.0
oracle business process management suite 12.2.1.3.0
oracle peoplesoft enterprise peopletools 8.57
oracle retail xstore point of service 18.0.1
oracle webcenter portal 12.2.1.4.0
oracle managed file transfer 12.2.1.4.0
oracle peoplesoft enterprise pt peopletools 8.58
oracle financial services analytical applications infrastructure 8.0.9
ibm log analysis 1.3.1
ibm log analysis 1.3.2
ibm log analysis 1.3.3
ibm log analysis 1.3.4
ibm log analysis 1.3.5
ibm log analysis 1.3.6
Denotes that component is vulnerable