Memory leak in The Bouncy Castle Crypto Package For Java

#VU22272 Memory leak in The Bouncy Castle Crypto Package For Java

Published: 2019-10-24 | Updated: 2020-02-07

Vulnerability identifier: #VU22272

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-17359

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
The Bouncy Castle Crypto Package For Java
Universal components / Libraries / Libraries used by multiple products

Vendor: Legion of the Bouncy Castle Inc.

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the ASN.1 parser. A remote attacker can send a specially crafted ASN.1 data and cause an OutOfMemoryError and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

The Bouncy Castle Crypto Package For Java: 1.63

Fixed software versions

CPE

cpe:2.3:a:legion_of_the_bouncy_castle:bc-java:1.63:*:*:*:*:*:*:*

External links
http://www.bouncycastle.org/latest_releases.html
http://www.bouncycastle.org/releasenotes.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Data Integrator

Multiple vulnerabilities in Oracle Communications Session Route Manager

Multiple vulnerabilities in Integrated Diameter Intelligence Hub (IDIH)

Memory leak in Oracle Business Process Management Suite

Multiple vulnerabilities in Oracle FLEXCUBE Private Banking

Memory leak in Oracle Communications Convergence

Multiple vulnerabilities in Oracle Retail Xstore Point of Service

Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Multiple vulnerabilities in Oracle Financial Services Analytical Applications Infrastructure

Memory leak in Oracle SOA Suite