CVE-2017-13098
published 2017-12-13CVE-2017-13098: BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak…
PriorityP343medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
24.28%
97.6th percentile
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bouncycastle | bc-java | < 1.59 | 1.59 |
| debian | bouncycastle | < bouncycastle 1.58-1 (bookworm) | bouncycastle 1.58-1 (bookworm) |
| legion_of_the_bouncy_castle | bouncycastle_tls | — | — |
| legion_of_the_bouncy_castle | bouncycastle_tls | >= 0 < 1.58-1 | 1.58-1 |
| legion_of_the_bouncy_castle | bouncycastle_tls | >= 0 < 1.58-1 | 1.58-1 |
| legion_of_the_bouncy_castle | bouncycastle_tls | >= 0 < 1.58-1 | 1.58-1 |
| legion_of_the_bouncy_castle | bouncycastle_tls | >= 0 < 1.58-1 | 1.58-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable code is in the bctls component/jar (org.bouncycastle.jsse / bctls), NOT the older org.bouncycastle.crypto.tls package. Detection should focus on applications loading the bctls jar (introduced in BouncyCastle 1.56) while using JCE for RSA key-exchange cipher suites. ↗
- →The older TLS implementation in the org.bouncycastle.crypto.tls package is NOT vulnerable; only the newer JSSE/bctls provider is affected. Scope detection to the bctls/bctls-fips jar. ↗
- →Trigger condition: vulnerability is only exploitable when BouncyCastle TLS is configured to use JCE (Java Cryptography Extension) for cryptographic functions AND a TLS cipher suite using RSA key exchange is negotiated. ↗
- →For FIPS builds, the vulnerable version threshold is bctls-fips prior to 1.0.3; for mainline non-FIPS BouncyCastle, the fix is in version 1.59 (or 1.60+ per Red Hat guidance). Flag deployments running bctls < 1.0.3 (FIPS) or bouncycastle < 1.59 (non-FIPS). ↗
- ·The vulnerability only manifests when BouncyCastle TLS is explicitly configured to use JCE for cryptographic operations. Deployments using the default (non-JCE) cryptographic provider are not affected. ↗
- ·The bctls component was only introduced in BouncyCastle 1.56. Versions prior to 1.56 that only ship bcprov are not affected by this specific flaw. ↗
- ·Red Hat Satellite 6 was fixed indirectly via a rebase; shipping BouncyCastle 1.60 or higher is sufficient to avoid this vulnerability in that context. ↗
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv5.9MEDIUM
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Observable Discrepancy in BouncyCastle
ghsa·2022-05-13
CVE-2017-13098 [MEDIUM] CWE-203 Observable Discrepancy in BouncyCastle
Observable Discrepancy in BouncyCastle
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
OSV
Observable Discrepancy in BouncyCastle
osv·2022-05-13
CVE-2017-13098 [MEDIUM] Observable Discrepancy in BouncyCastle
Observable Discrepancy in BouncyCastle
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
OSV
CVE-2017-13098: BouncyCastle TLS prior to version 1
osv·2017-12-13·CVSS 5.9
CVE-2017-13098 [MEDIUM] CVE-2017-13098: BouncyCastle TLS prior to version 1
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Red Hat
bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
vendor_redhat·2017-12-12·CVSS 7.5
CVE-2017-13098 [HIGH] CWE-300 bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Statement: This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager version 1 and Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Sev
Debian
CVE-2017-13098: bouncycastle - BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cr...
vendor_debian·2017·CVSS 7.5
CVE-2017-13098 [HIGH] CVE-2017-13098: bouncycastle - BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cr...
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Scope: local
bookworm: resolved (fixed in 1.58-1)
bullseye: resolved (fixed in 1.58-1)
forky: resolved (fixed in 1.58-1)
sid: resolved (fixed in 1.58-1)
trixie: resolved (fixed in 1.58-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-13098 bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
bugzilla·2017-12-13·CVSS 7.5
CVE-2017-13098 [HIGH] CVE-2017-13098 bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
CVE-2017-13098 bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Upstream patch:
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
External References:
https://robotattack.org/
Discussion:
Created bouncycastle tracking bugs for this issue:
Affects: fedora-all [bug 1525531]
---
Statement:
This issue affects the versions of bou
Bugzilla
CVE-2017-13098 bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack [fedora-all]
bugzilla·2017-12-13·CVSS 7.5
CVE-2017-13098 [HIGH] CVE-2017-13098 bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack [fedora-all]
CVE-2017-13098 bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and
Bugzilla
CVE-2017-14919 nodejs: DoS via specific windowBits value
bugzilla·2017-11-22·CVSS 7.5
CVE-2017-14919 [HIGH] CVE-2017-14919 nodejs: DoS via specific windowBits value
CVE-2017-14919 nodejs: DoS via specific windowBits value
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
External References:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Discussion:
Created nodejs tracking bugs for this issue:
Affects: epel-all [bug 1516177]
Affects: openshift-1 [bug 1516176]
---
Upstream bug report:
https://github.com/nodejs/node/issues/13082
Patch pull request:
https://github.com/nodejs/node/pull/13098
rh-nodejs6-nodejs and rh-nodejs8-nodejs contain the fixed code already. rh-nodejs4-nodejs does not, but we don't ship zlib 1.2.9, so it does not really
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.htmlhttp://www.kb.cert.org/vuls/id/144389http://www.securityfocus.com/bid/102195https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5chttps://robotattack.org/https://security.netapp.com/advisory/ntap-20171222-0001/https://www.debian.org/security/2017/dsa-4072https://www.oracle.com/security-alerts/cpuoct2020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.htmlhttp://www.kb.cert.org/vuls/id/144389http://www.securityfocus.com/bid/102195https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5chttps://robotattack.org/https://security.netapp.com/advisory/ntap-20171222-0001/https://www.debian.org/security/2017/dsa-4072https://www.oracle.com/security-alerts/cpuoct2020.html
2017-12-13
Published