CVE-2019-17359

Published Oct 8, 2019
·
Updated

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Affected Software

35 affected components
bouncycastle Legion-of-the-bouncy-castle-java-crytography-api=1.63
Apache TomEE=7.0.7
Apache TomEE=7.1.2
Apache TomEE=8.0.1
NetApp Active Iq Unified Manager Linux>=7.3
NetApp Active Iq Unified Manager Windows>=7.3
NetApp Active Iq Unified Manager Vmware Vsphere>=9.5
NetApp OnCommand API Services
NetApp OnCommand Workflow Automation
NetApp Service Level Manager
Oracle Business Process Management Suite=12.2.1.3.0
Oracle Business Process Management Suite=12.2.1.4.0
Oracle Communications Convergence>=3.0.1.0<=3.0.2.1
Oracle Communications Diameter Signaling Router>=8.0.0<=8.2.2
Oracle Communications Session Route Manager>=8.2.0<=8.2.2
Oracle Data Integrator=12.2.1.4.0
Oracle Financial Services Analytical Applications Infrastructure>=8.0.6<=8.0.9
Oracle FLEXCUBE Private Banking=12.0.0
Oracle FLEXCUBE Private Banking=12.1.0
Oracle Hospitality Guest Access=4.2.0
Oracle Managed File Transfer=12.2.1.3.0
Oracle Managed File Transfer=12.2.1.4.0
Oracle Peoplesoft Enterprise Hcm Global Payroll Switzerland=9.2
Oracle PeopleSoft Enterprise PeopleTools=8.56
Oracle PeopleSoft Enterprise PeopleTools=8.57
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle Retail Xstore Point of Service=18.0.1
Oracle SOA Suite=12.2.1.3.0
Oracle SOA Suite=12.2.1.4.0
Oracle WebCenter Portal=11.1.1.9.0
Oracle WebCenter Portal=12.2.1.3.0
Oracle WebCenter Portal=12.2.1.4.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
bouncycastle bc-java=1.63

Remediation

Patch Available

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2020.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2021.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2020.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2020.html

Event History

Oct 8, 2019
CVE Published
via MITRE·01:39 PM
Data Sourced
via MITRE·01:39 PM
Description
Data Sourced
via NVD·02:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2019-17359?

CVE-2019-17359 is a vulnerability in the ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 that can trigger a large attempted memory allocation, leading to an OutOfMemoryError.

2

How severe is CVE-2019-17359?

CVE-2019-17359 has a severity rating of 7.5 (High).

3

Which software versions are affected by CVE-2019-17359?

The affected software versions are Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.63, Apache TomEE 7.0.7, Apache TomEE 7.1.2, Apache TomEE 8.0.1, Netapp Active Iq Unified Manager (Linux) 7.3 and later, Netapp Active Iq Unified Manager (Windows) 7.3 and later, Netapp Active Iq Unified Manager (VMware vSphere Client) 9.5 and later, NetApp OnCommand API Services, NetApp OnCommand Workflow Automation, NetApp Service Level Manager, Oracle Business Process Management Suite 12.2.1.3.0 and 12.2.1.4.0, Oracle Communications Convergence 3.0.1.0 to 3.0.2.1, Oracle Communications Diameter Signaling Router 8.0.0 to 8.2.2, Oracle Communications Session Route Manager 8.2.0 to 8.2.2, Oracle Data Integrator 12.2.1.4.0, Oracle Financial Services Analytical Applications Infrastructure 8.0.6 to 8.0.9, Oracle FLEXCUBE Private Banking 12.0.0 and 12.1.0, Oracle Hospitality Guest Access 4.2.0, Oracle Managed File Transfer 12.2.1.3.0 and 12.2.1.4.0, Oracle Peoplesoft Enterprise Hcm Global Payroll Switzerland 9.2, Oracle PeopleSoft Enterprise PeopleTools 8.56, 8.57, and 8.58, Oracle Retail Xstore Point of Service 18.0.1, Oracle SOA Suite 12.2.1.3.0 and 12.2.1.4.0, Oracle WebCenter Portal 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, and Oracle WebLogic Server 12.2.1.3.0 and 12.2.1.4.0.

4

How can I fix CVE-2019-17359 vulnerability?

You can fix the CVE-2019-17359 vulnerability by updating the affected software versions to the patched versions. For Bouncy Castle Crypto, update to version 1.64. For other software, refer to the vendor's security advisory for the appropriate patches or updates.

5

Are there any references for CVE-2019-17359?

Yes, you can find more information about CVE-2019-17359 in the following references: [Reference 1](https://lists.apache.org/thread.html/r02f887807a49cfd1f1ad53f7a61f3f8e12f60ba2c930bec163031209@%3Ccommits.tomee.apache.org%3E), [Reference 2](https://lists.apache.org/thread.html/r16c3a90cb35ae8a9c74fd5c813c16d6ac255709c9f9d71cd409e007d@%3Ccommits.tomee.apache.org%3E), [Reference 3](https://lists.apache.org/thread.html/r467ade3fef3493f1fff1a68a256d087874e1f858ad1de7a49fe05d27@%3Ccommits.tomee.apache.org%3E).

6

What is the Common Weakness Enumeration (CWE) ID for CVE-2019-17359?

The Common Weakness Enumeration (CWE) ID for CVE-2019-17359 is CWE-770.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203