CVE-2018-1000180
UnknownEPSS 3.59%
Last modified
CVE-2018-1000180 is a vulnerability of currently unknown severity. Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.. EPSS estimates a 3.59% chance of exploitation in the next 30 days.
Description
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Bouncycastle | Bc-Java | >= 1.54, <= 1.59 |
| Bouncycastle | Fips Java Api | <= 1.0.1 |
| Debian | Debian Linux | 9.0 |
| Oracle | Api Gateway | 11.1.2.4.0 |
| Oracle | Business Process Management Suite | 11.1.1.9.0 |
| Oracle | Business Process Management Suite | 12.1.3.0.0 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Business Transaction Management | 12.1.0 |
| Oracle | Communications Application Session Controller | 3.7.1 |
| Oracle | Communications Application Session Controller | 3.8.0 |
| Oracle | Communications Converged Application Server | < 7.0.0.1 |
| Oracle | Communications Webrtc Session Controller | < 7.2 |
| Oracle | Enterprise Repository | 12.1.3.0.0 |
| Oracle | Managed File Transfer | 12.1.3.0.0 |
| Oracle | Managed File Transfer | 12.2.1.3.0 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.55 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.56 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Retail Convenience And Fuel Pos Software | 2.8.1 |
| Oracle | Retail Xstore Point Of Service | 7.0 |
| Oracle | Retail Xstore Point Of Service | 7.1 |
| Oracle | Soa Suite | 12.1.3.0.0 |
| Oracle | Soa Suite | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Weblogic Server | 12.1.3.0.0 |
| Netapp | Oncommand Workflow Automation | All versions |
| Redhat | Virtualization | 4.2 |
| Redhat | Jboss Enterprise Application Platform | 7.1.0 |
References
- http://www.securityfocus.com/bid/106567Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2018:2423Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2424Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2425Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2428Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2643Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2669Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0877Third Party Advisory
- https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55adPatch, Third Party Advisory
- https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839Patch, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190204-0003/Patch, Third Party Advisory
- https://www.debian.org/security/2018/dsa-4233Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/106567Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2018:2423Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2424Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2425Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2428Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2643Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:2669Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0877Third Party Advisory
- https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55adPatch, Third Party Advisory
- https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839Patch, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190204-0003/Patch, Third Party Advisory
- https://www.debian.org/security/2018/dsa-4233Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-1000180?
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
How severe is CVE-2018-1000180?
Severity scoring for CVE-2018-1000180 is pending analysis. The EPSS model estimates a 3.59% probability of exploitation in the next 30 days.
How do I fix CVE-2018-1000180?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2018-1000180?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST