Bouncy Castle Weak Oracle (CVE-2017-13098)

  • 7022561
  • 16-Jan-2018
  • 23-Jan-2018

Environment

Host Access Management and Security Server (MSS) 12.4 SP1
Reflection for the Web (All Editions) 12.3 SP1 and 12.3 SP1 Hotfix 1
Reflection ZFE 2.2.0
Verastream Software Development Kit for Unisys and Airlines 5.0 SP1

Situation

BouncyCastle TLS servers, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, contained a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated.  The affected versions include bctls-fips-1.0.2.jar and earlier versions. The product versions listed above use bctls-fips-1.0.2.jar; earlier product versions are not affected.

Resolution

This issue is addressed beginning with the following product versions, which use bctls-fips-1.0.3.jar:
  • Host Access Management and Security Server, version 12.4 SP1 Update 1
  • Reflection for the Web 12.3 SP1 or 12.3 SP1 Update 1
  • Verastream SDK for Unisys and Airlines 5.0 SP1 Update 1
  • Reflection ZFE 2.2.1
Maintained customers can obtain the latest updates from the Downloads website.

Status

Security Alert

Additional Information