cbcvebase.
CVE-2017-13098
published 2017-12-13

CVE-2017-13098: BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak…

PriorityP343medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
24.28%
97.6th percentile
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

Affected

7 ranges
VendorProductVersion rangeFixed in
bouncycastlebc-java< 1.591.59
debianbouncycastle< bouncycastle 1.58-1 (bookworm)bouncycastle 1.58-1 (bookworm)
legion_of_the_bouncy_castlebouncycastle_tls
legion_of_the_bouncy_castlebouncycastle_tls>= 0 < 1.58-11.58-1
legion_of_the_bouncy_castlebouncycastle_tls>= 0 < 1.58-11.58-1
legion_of_the_bouncy_castlebouncycastle_tls>= 0 < 1.58-11.58-1
legion_of_the_bouncy_castlebouncycastle_tls>= 0 < 1.58-11.58-1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
  • The vulnerable code is in the bctls component/jar (org.bouncycastle.jsse / bctls), NOT the older org.bouncycastle.crypto.tls package. Detection should focus on applications loading the bctls jar (introduced in BouncyCastle 1.56) while using JCE for RSA key-exchange cipher suites.
  • The older TLS implementation in the org.bouncycastle.crypto.tls package is NOT vulnerable; only the newer JSSE/bctls provider is affected. Scope detection to the bctls/bctls-fips jar.
  • Trigger condition: vulnerability is only exploitable when BouncyCastle TLS is configured to use JCE (Java Cryptography Extension) for cryptographic functions AND a TLS cipher suite using RSA key exchange is negotiated.
  • For FIPS builds, the vulnerable version threshold is bctls-fips prior to 1.0.3; for mainline non-FIPS BouncyCastle, the fix is in version 1.59 (or 1.60+ per Red Hat guidance). Flag deployments running bctls < 1.0.3 (FIPS) or bouncycastle < 1.59 (non-FIPS).
  • ·The vulnerability only manifests when BouncyCastle TLS is explicitly configured to use JCE for cryptographic operations. Deployments using the default (non-JCE) cryptographic provider are not affected.
  • ·The bctls component was only introduced in BouncyCastle 1.56. Versions prior to 1.56 that only ship bcprov are not affected by this specific flaw.
  • ·Red Hat Satellite 6 was fixed indirectly via a rebase; shipping BouncyCastle 1.60 or higher is sufficient to avoid this vulnerability in that context.

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv5.9MEDIUM
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.