CVE-2019-17359
high-risk
Published 2019-10-08
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Do I need to act?
~
7.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Bc-Java
Tomee
Tomee
Tomee
Oncommand Api Services
Communications Convergence
Affected Vendors
References (32)
Third Party Advisory
https://security.netapp.com/advisory/ntap-20191024-0006/
Release Notes
https://www.bouncycastle.org/latest_releases.html
Release Notes
https://www.bouncycastle.org/releasenotes.html
and 12 more references
59
/ 100
high-risk
Severity
26/34 · High
Exploitability
10/34 · Low
Exposure
23/34 · High