Bouncy Castle Weak Oracle (CVE-2017-13098)

  • 7022561
  • 16-Jan-2018
  • 23-Jan-2018

Environment

Host Access Management and Security Server (MSS) 12.4 SP1
Reflection for the Web (All Editions) 12.3 SP1 and 12.3 SP1 Hotfix 1
Reflection ZFE 2.2.0
Verastream Software Development Kit for Unisys and Airlines 5.0 SP1

Situation

BouncyCastle TLS servers, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, contained a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated.  The affected versions include bctls-fips-1.0.2.jar and earlier versions. The product versions listed above use bctls-fips-1.0.2.jar; earlier product versions are not affected.

Resolution

This issue is addressed beginning with the following product versions, which use bctls-fips-1.0.3.jar:
  • Host Access Management and Security Server, version 12.4 SP1 Update 1
  • Reflection for the Web 12.3 SP1 or 12.3 SP1 Update 1
  • Verastream SDK for Unisys and Airlines 5.0 SP1 Update 1
  • Reflection ZFE 2.2.1
Maintained customers can obtain the latest updates from the Downloads website.

Status

Security Alert

Additional Information

Feedback service temporarily unavailable. For content questions or problems, please contact Support.