CVE-2019-17359
First published: Tue Oct 08 2019(Updated: )
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api | =1.63 | |
| Apache TomEE | =7.0.7 | |
| Apache TomEE | =7.1.2 | |
| Apache TomEE | =8.0.1 | |
| Netapp Active Iq Unified Manager Linux | >=7.3 | |
| Netapp Active Iq Unified Manager Windows | >=7.3 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | >=9.5 | |
| NetApp OnCommand API Services | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp Service Level Manager | ||
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Communications Convergence | >=3.0.1.0<=3.0.2.1 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
| Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
| Oracle Data Integrator | =12.2.1.4.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6<=8.0.9 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Managed File Transfer | =12.2.1.3.0 | |
| Oracle Managed File Transfer | =12.2.1.4.0 | |
| Oracle Peoplesoft Enterprise Hcm Global Payroll Switzerland | =9.2 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle Retail Xstore Point of Service | =18.0.1 | |
| Oracle SOA Suite | =12.2.1.3.0 | |
| Oracle SOA Suite | =12.2.1.4.0 | |
| Oracle WebCenter Portal | =11.1.1.9.0 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Oracle WebLogic Server | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r02f887807a49cfd1f1ad53f7a61f3f8e12f60ba2c930bec163031209@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r16c3a90cb35ae8a9c74fd5c813c16d6ac255709c9f9d71cd409e007d@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r467ade3fef3493f1fff1a68a256d087874e1f858ad1de7a49fe05d27@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r4d475dcaf4f57115fa57d8e06c3823ca398b35468429e7946ebaefdc@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r79b6a6aa0dd1aeb57bd253d94794bc96f1ec005953c4bd5414cc0db0@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r8ecb5b76347f84b6e3c693f980dbbead88c25f77b815053c4e6f2c30@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r91b07985b1307390a58c5b9707f0b28ef8e9c9e1c86670459f20d601@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re60f980c092ada4bfe236dcfef8b6ca3e8f3b150fc0f51b8cc13d59d@%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20191024-0006/
- https://www.bouncycastle.org/latest_releases.html
- https://www.bouncycastle.org/releasenotes.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
Frequently Asked Questions
What is CVE-2019-17359?
CVE-2019-17359 is a vulnerability in the ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 that can trigger a large attempted memory allocation, leading to an OutOfMemoryError.
How severe is CVE-2019-17359?
CVE-2019-17359 has a severity rating of 7.5 (High).
Which software versions are affected by CVE-2019-17359?
The affected software versions are Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.63, Apache TomEE 7.0.7, Apache TomEE 7.1.2, Apache TomEE 8.0.1, Netapp Active Iq Unified Manager (Linux) 7.3 and later, Netapp Active Iq Unified Manager (Windows) 7.3 and later, Netapp Active Iq Unified Manager (VMware vSphere Client) 9.5 and later, NetApp OnCommand API Services, NetApp OnCommand Workflow Automation, NetApp Service Level Manager, Oracle Business Process Management Suite 12.2.1.3.0 and 12.2.1.4.0, Oracle Communications Convergence 3.0.1.0 to 3.0.2.1, Oracle Communications Diameter Signaling Router 8.0.0 to 8.2.2, Oracle Communications Session Route Manager 8.2.0 to 8.2.2, Oracle Data Integrator 12.2.1.4.0, Oracle Financial Services Analytical Applications Infrastructure 8.0.6 to 8.0.9, Oracle FLEXCUBE Private Banking 12.0.0 and 12.1.0, Oracle Hospitality Guest Access 4.2.0, Oracle Managed File Transfer 12.2.1.3.0 and 12.2.1.4.0, Oracle Peoplesoft Enterprise Hcm Global Payroll Switzerland 9.2, Oracle PeopleSoft Enterprise PeopleTools 8.56, 8.57, and 8.58, Oracle Retail Xstore Point of Service 18.0.1, Oracle SOA Suite 12.2.1.3.0 and 12.2.1.4.0, Oracle WebCenter Portal 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, and Oracle WebLogic Server 12.2.1.3.0 and 12.2.1.4.0.
How can I fix CVE-2019-17359 vulnerability?
You can fix the CVE-2019-17359 vulnerability by updating the affected software versions to the patched versions. For Bouncy Castle Crypto, update to version 1.64. For other software, refer to the vendor's security advisory for the appropriate patches or updates.
Are there any references for CVE-2019-17359?
Yes, you can find more information about CVE-2019-17359 in the following references: [Reference 1](https://lists.apache.org/thread.html/r02f887807a49cfd1f1ad53f7a61f3f8e12f60ba2c930bec163031209@%3Ccommits.tomee.apache.org%3E), [Reference 2](https://lists.apache.org/thread.html/r16c3a90cb35ae8a9c74fd5c813c16d6ac255709c9f9d71cd409e007d@%3Ccommits.tomee.apache.org%3E), [Reference 3](https://lists.apache.org/thread.html/r467ade3fef3493f1fff1a68a256d087874e1f858ad1de7a49fe05d27@%3Ccommits.tomee.apache.org%3E).
What is the Common Weakness Enumeration (CWE) ID for CVE-2019-17359?
The Common Weakness Enumeration (CWE) ID for CVE-2019-17359 is CWE-770.
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/bouncycastle
- canonical/bouncycastle legion-of-the-bouncy-castle-java-crytography-api
- version/bouncycastle legion-of-the-bouncy-castle-java-crytography-api/1.63
- vendor/apache
- canonical/apache tomee
- version/apache tomee/7.0.7
- version/apache tomee/7.1.2
- version/apache tomee/8.0.1
- vendor/netapp
- canonical/netapp active iq unified manager linux
- version/netapp active iq unified manager linux/7.3
- canonical/netapp active iq unified manager windows
- version/netapp active iq unified manager windows/7.3
- canonical/netapp active iq unified manager vmware vsphere
- version/netapp active iq unified manager vmware vsphere/9.5
- canonical/netapp oncommand api services
- canonical/netapp oncommand workflow automation
- canonical/netapp service level manager
- vendor/oracle
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle communications convergence
- version/oracle communications convergence/3.0.1.0
- version/oracle communications convergence/3.0.2.1
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.2.2
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.2.0
- version/oracle communications session route manager/8.2.2
- canonical/oracle data integrator
- version/oracle data integrator/12.2.1.4.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6
- version/oracle financial services analytical applications infrastructure/8.0.9
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- canonical/oracle managed file transfer
- version/oracle managed file transfer/12.2.1.3.0
- version/oracle managed file transfer/12.2.1.4.0
- canonical/oracle peoplesoft enterprise hcm global payroll switzerland
- version/oracle peoplesoft enterprise hcm global payroll switzerland/9.2
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.56
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/18.0.1
- canonical/oracle soa suite
- version/oracle soa suite/12.2.1.3.0
- version/oracle soa suite/12.2.1.4.0
- canonical/oracle webcenter portal
- version/oracle webcenter portal/11.1.1.9.0
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0
- version/oracle weblogic server/12.2.1.4.0