CVE-2018-1000613

Published Jul 9, 2018
·
Updated

Legion of the Bouncy Castle Java Cryptography APIs could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe reflection flaw in XMSS/XMSS^MT private key deserialization. By using specially-crafted private key, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Affected Software

49 affected componentsFixes available
bouncycastle Legion-of-the-bouncy-castle-java-crytography-api>=1.58<1.60
NetApp OnCommand Workflow Automation
openSUSE Leap=15.1
Oracle API Gateway=11.1.2.4.0
Oracle Banking Platform=2.6.0
Oracle Banking Platform=2.6.1
Oracle Banking Platform=2.6.2
Oracle Business Process Management Suite=11.1.1.9.0
Oracle Business Process Management Suite=12.1.3.0.0
Oracle Business Process Management Suite=12.2.1.3.0
Oracle Business Transaction Management=12.1.0
Oracle Communications Application Session Controller=3.7.1
Oracle Communications Application Session Controller=3.8.0
Oracle Communications Converged Application Server<7.0.0.1
Oracle Communications Converged Application Server=7.0.0.1
Oracle Communications Convergence=3.0.2
Oracle Communications Diameter Signaling Router=8.0.0
Oracle Communications Diameter Signaling Router=8.1
Oracle Communications Diameter Signaling Router=8.2
Oracle Communications Diameter Signaling Router=8.2.1
Oracle Communications WebRTC Session Controller<7.2
Oracle Communications WebRTC Session Controller=7.2
Oracle Data Integrator=12.2.1.3.0
Oracle Enterprise Manager Base Platform=12.1.0.5.0
Oracle Enterprise Manager Base Platform=13.2.0.0
Oracle Enterprise Manager Base Platform=13.3.0.0
Oracle Enterprise Manager for Fusion Middleware=13.2.0.0
Oracle Enterprise Manager for Fusion Middleware=13.3.0.0
Oracle Enterprise Repository=11.1.1.7.0
Oracle Enterprise Repository=12.1.3.0.0
Oracle Managed File Transfer=12.1.3.0.0
Oracle Managed File Transfer=12.2.1.3.0
Oracle PeopleSoft Enterprise PeopleTools=8.55
Oracle PeopleSoft Enterprise PeopleTools=8.56
Oracle PeopleSoft Enterprise PeopleTools=8.57
Oracle Retail Convenience And Fuel Pos Software=2.8.1
Oracle Retail Xstore Point of Service=7.0
Oracle Retail Xstore Point of Service=7.1
Oracle SOA Suite=12.1.3.0.0
Oracle SOA Suite=12.2.1.3.0
Oracle Utilities Network Management System=1.12.0.3
Oracle Utilities Network Management System=2.3.0.0
Oracle Utilities Network Management System=2.3.0.1
Oracle Utilities Network Management System=2.3.0.2
Oracle WebCenter Portal=11.1.1.9.0
Oracle WebCenter Portal=12.2.1.3.0
Oracle WebLogic Server=12.2.1.3
bouncycastle bc-java>=1.58<1.60
maven/org.bouncycastle:bcprov-jdk15on>=1.57<1.60
1.60

Remediation

Patch Available

https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574

Patch Available

https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Patch Available

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2020.html

Event History

Jul 9, 2018
CVE Published
via MITRE·08:00 PM
Data Sourced
via MITRE·08:00 PM
Description
Oct 17, 2018
Advisory Published
via GitHub·04:23 PM
Sep 6, 2022
Data Sourced
via IBM·12:00 AM
DescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2018-1000613?

CVE-2018-1000613 is a vulnerability in Legion of the Bouncy Castle Java Cryptography APIs that allows a remote attacker to execute arbitrary code.

2

What is the severity of CVE-2018-1000613?

The severity of CVE-2018-1000613 is critical with a CVSS score of 9.8.

3

How does CVE-2018-1000613 affect the Legion of the Bouncy Castle Java Cryptography APIs?

CVE-2018-1000613 affects versions 1.57 to 1.60 of the Legion of the Bouncy Castle Java Cryptography APIs.

4

How can I fix CVE-2018-1000613?

To fix CVE-2018-1000613, upgrade to version 1.60 of the Legion of the Bouncy Castle Java Cryptography APIs.

5

How can I learn more about CVE-2018-1000613?

You can learn more about CVE-2018-1000613 at the following references: [link1](https://nvd.nist.gov/vuln/detail/CVE-2018-1000613), [link2](https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574), [link3](https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203