Vulnerability Description
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bouncycastle | Bc-Java | 1.63 |
| Apache | Tomee | 7.0.7 |
| Netapp | Active Iq Unified Manager | >= 7.3 |
| Netapp | Oncommand Api Services | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Service Level Manager | - |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Communications Convergence | >= 3.0.1.0, <= 3.0.2.1 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0, <= 8.2.2 |
| Oracle | Communications Session Route Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Data Integrator | 12.2.1.4.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.0.9 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Managed File Transfer | 12.2.1.3.0 |
| Oracle | Peoplesoft Enterprise Hcm Global Payroll Switzerland | 9.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.56 |
| Oracle | Retail Xstore Point Of Service | 18.0.1 |
| Oracle | Soa Suite | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/r02f887807a49cfd1f1ad53f7a61f3f8e12f60ba2c9
- https://lists.apache.org/thread.html/r16c3a90cb35ae8a9c74fd5c813c16d6ac255709c9f
- https://lists.apache.org/thread.html/r467ade3fef3493f1fff1a68a256d087874e1f858ad
- https://lists.apache.org/thread.html/r4d475dcaf4f57115fa57d8e06c3823ca398b354684
- https://lists.apache.org/thread.html/r79b6a6aa0dd1aeb57bd253d94794bc96f1ec005953
- https://lists.apache.org/thread.html/r8ecb5b76347f84b6e3c693f980dbbead88c25f77b8
- https://lists.apache.org/thread.html/r91b07985b1307390a58c5b9707f0b28ef8e9c9e1c8
- https://lists.apache.org/thread.html/re60f980c092ada4bfe236dcfef8b6ca3e8f3b150fc
- https://security.netapp.com/advisory/ntap-20191024-0006/Third Party Advisory
- https://www.bouncycastle.org/latest_releases.htmlRelease NotesVendor Advisory
- https://www.bouncycastle.org/releasenotes.htmlRelease NotesVendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
FAQ
What is CVE-2019-17359?
CVE-2019-17359 is a vulnerability with a CVSS score of 7.5 (HIGH). The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
How severe is CVE-2019-17359?
CVE-2019-17359 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-17359?
Check the references section above for vendor advisories and patch information. Affected products include: Bouncycastle Bc-Java, Apache Tomee, Netapp Active Iq Unified Manager, Netapp Oncommand Api Services, Netapp Oncommand Workflow Automation.