Multiple vulnerabilities in RSA BSAFE Crypto-J

Published: 2019-09-19 | Updated: 2023-11-22

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-3738 CVE-2019-3739
CWE-ID	CWE-325 CWE-208
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	RSA BSAFE Crypto-J Server applications / Encryption software
Vendor	Dell

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Missing Required Cryptographic Step

EUVDB-ID: #VU83436

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-3738

CWE-ID: CWE-325 - Missing Required Cryptographic Step

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in the cryptographic process. A remote attacker can coerce two parties into computing the same predictable shared key and gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

RSA BSAFE Crypto-J: before 6.2.5

CPE2.3

cpe:2.3:a:dell:rsa_bsafe_crypto-j:*:*:*:*:*:*:*:*

External links

https://www.dell.com/support/security/en-us/details/DOC-106556/DSA-2019-094-RSA-BSAFE®-Crypto-J-Multiple-Security-Vulnerabilities
https://kc.mcafee.com/corporate/index?page=content&id=SB10318

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information Exposure Through Timing Discrepancy

EUVDB-ID: #VU83437