Bouncy Castle Weak Oracle (CVE-2017-13098)

Document ID:7022561
Creation Date:16-Jan-2018
Modified Date:23-Jan-2018
- Micro Focus Products:
  Host Access for the Cloud (Reflection ZFE)
  Host Access Management and Security Server (MSS)
  Reflection for the Web
  Verastream SDK for Unisys and Airlines

Environment

Host Access Management and Security Server (MSS) 12.4 SP1
Reflection for the Web (All Editions) 12.3 SP1 and 12.3 SP1 Hotfix 1
Reflection ZFE 2.2.0
Verastream Software Development Kit for Unisys and Airlines 5.0 SP1

Situation

BouncyCastle TLS servers, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, contained a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated. The affected versions include bctls-fips-1.0.2.jar and earlier versions. The product versions listed above use bctls-fips-1.0.2.jar; earlier product versions are not affected.

Resolution

This issue is addressed beginning with the following product versions, which use bctls-fips-1.0.3.jar:

Host Access Management and Security Server, version 12.4 SP1 Update 1
Reflection for the Web 12.3 SP1 or 12.3 SP1 Update 1
Verastream SDK for Unisys and Airlines 5.0 SP1 Update 1
Reflection ZFE 2.2.1

Maintained customers can obtain the latest updates from the Downloads website.

Status

Security Alert

Additional Information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098

https://nvd.nist.gov/vuln/detail/CVE-2017-13098

https://www.kb.cert.org/vuls/id/144389

https://www.kb.cert.org/vuls/id/CHEU-AT5U7K