CVE-2017-13098

Name: CVE-2017-13098
Creator: NVD / NIST
Published: 2017-12-13T01:29:00.28+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 24.28%

Last modified Jun 17, 2026

CVE-2017-13098 is a vulnerability of currently unknown severity. BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. EPSS estimates a 24.28% chance of exploitation in the next 30 days.

Description

BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

Metrics

EPSS Probability

24.28%

97.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Bouncycastle	Bc-Java	< 1.59

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
http://www.kb.cert.org/vuls/id/144389Issue Tracking, Mitigation, Third Party Advisory, US Government Resource
http://www.securityfocus.com/bid/102195Third Party Advisory, VDB Entry
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5cIssue Tracking, Patch, Third Party Advisory
https://robotattack.org/Issue Tracking, Third Party Advisory
https://security.netapp.com/advisory/ntap-20171222-0001/Issue Tracking, Third Party Advisory
https://www.debian.org/security/2017/dsa-4072Issue Tracking, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
http://www.kb.cert.org/vuls/id/144389Issue Tracking, Mitigation, Third Party Advisory, US Government Resource
http://www.securityfocus.com/bid/102195Third Party Advisory, VDB Entry
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5cIssue Tracking, Patch, Third Party Advisory
https://robotattack.org/Issue Tracking, Third Party Advisory
https://security.netapp.com/advisory/ntap-20171222-0001/Issue Tracking, Third Party Advisory
https://www.debian.org/security/2017/dsa-4072Issue Tracking, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Timeline

Published: Dec 13, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-13098?

How severe is CVE-2017-13098?

Severity scoring for CVE-2017-13098 is pending analysis. The EPSS model estimates a 24.28% probability of exploitation in the next 30 days.

How do I fix CVE-2017-13098?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-13098?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST