CVE-2018-1000180
moderate-risk
Published 2018-06-05
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Do I need to act?
-
0.28% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Bc-Java
Fips Java Api
Api Gateway
Business Transaction Management
Affected Vendors
References (42)
Third Party Advisory
http://www.securityfocus.com/bid/106567
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2423
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2424
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2425
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2428
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2643
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2669
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0877
Third Party Advisory
https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-i...
Third Party Advisory
https://www.debian.org/security/2018/dsa-4233
and 22 more references
49
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
1/34 · Minimal
Exposure
22/34 · High