CVE-2018-11055

moderate-risk

Published 2018-08-31

RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6.1 (in 4.1.x), contains an Improper Clearing of Heap Memory Before Release ('Heap Inspection') vulnerability. Decoded PKCS #12 data in heap memory is not zeroized by MES before releasing the memory internally and a malicious local user could gain access to the unauthorized data by doing heap inspection.

Do I need to act?

0.09% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (20)

Bsafe

Application Testing Suite

Communications Analytics

Communications Ip Service Activator

Core Rdbms

Enterprise Manager Ops Center

Goldengate Application Adapters

Jd Edwards Enterpriseone Tools

Real User Experience Insight

Retail Predictive Application Server

Security Service

Affected Vendors

Oracle Dell

References (12)

Mailing List http://seclists.org/fulldisclosure/2018/Aug/46

Patch https://www.oracle.com/security-alerts/cpuapr2020.html

Patch https://www.oracle.com/security-alerts/cpujan2020.html

Patch https://www.oracle.com/security-alerts/cpujul2020.html

Patch https://www.oracle.com/security-alerts/cpuoct2020.html

Patch https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Mailing List http://seclists.org/fulldisclosure/2018/Aug/46

Patch https://www.oracle.com/security-alerts/cpuapr2020.html

Patch https://www.oracle.com/security-alerts/cpujan2020.html

Patch https://www.oracle.com/security-alerts/cpujul2020.html

Patch https://www.oracle.com/security-alerts/cpuoct2020.html

Patch https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 21/34 · High