CVE-2019-17359

CWE-770 — Allocation without Limits10 documents6 sources

Severity

7.5HIGH

EPSS

7.6%

top 8.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Communications Convergence Oracle Communications Diameter Signaling Router Oracle Communications Session Route Manager +15 more

Timeline

PublishedOct 8

Latest updateJan 15

Description

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages19 packages

▶NVDbouncycastle/bc-java1.63

▶Mavenorg.bouncycastle:bcprov-jdk141.63 — 1.64

▶NVDoracle/data_integrator12.2.1.4.0

▶NVDoracle/communications_convergence3.0.1.0 — 3.0.2.1

▶NVDoracle/communications_session_route_manager8.2.0 — 8.2.2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Out-of-Memory Error in Bouncy Castle Crypto↗2019-10-17

▶

OSV

Out-of-Memory Error in Bouncy Castle Crypto↗2019-10-17

▶

CVEList

CVE-2019-17359: The ASN↗2019-10-08

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Runtime Java agent for ODI (Bouncy Castle Java Library) — CVE-2019-17359↗2021-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: IDIH (Bouncy Castle Java Library) — CVE-2019-17359↗2020-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: S/MIME Configuration (Bouncy Castle Java Library) — CVE-2019-17359↗2020-07-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Bouncy Castle Java Library) — CVE-2019-17359↗2020-04-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party Tools (Bouncy Castle Java Library) — CVE-2019-17359↗2020-01-15

▶