First published: Fri Aug 09 2019(Updated: )
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
Credit: security_alert@emc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Dell Bsafe Cert-j | <=6.2.4 | |
Dell BSAFE Crypto-J | <6.2.5 | |
Dell BSAFE SSL-J | <=6.2.4.1 | |
Oracle Application Performance Management | =13.3.0.0 | |
Oracle Application Performance Management | =13.4.0.0 | |
Oracle Communications Network Integrity | =7.3.2 | |
Oracle Communications Network Integrity | =7.3.5 | |
Oracle Communications Network Integrity | =7.3.6 | |
Oracle Database | =12.1.0.2 | |
Oracle Database | =12.2.0.1 | |
Oracle Database | =18c | |
Oracle Database | =19c | |
Oracle GoldenGate | <19.1.0.0.0.210420 | |
Oracle Retail Assortment Planning | =15.0.3.0 | |
Oracle Retail Assortment Planning | =16.0.3.0 | |
Oracle Retail Integration Bus | =14.1 | |
Oracle Retail Integration Bus | =15.0 | |
Oracle Retail Integration Bus | =16.0 | |
Oracle Retail Predictive Application Server | =14.1.3.0 | |
Oracle Retail Predictive Application Server | =15.0.3.0 | |
Oracle Retail Predictive Application Server | =16.0.3.0 | |
Oracle Retail Service Backbone | =14.1 | |
Oracle Retail Service Backbone | =15.0 | |
Oracle Retail Service Backbone | =16.0 | |
Oracle Retail Store Inventory Management | =14.0.4 | |
Oracle Retail Store Inventory Management | =14.1.3 | |
Oracle Retail Store Inventory Management | =15.0.3 | |
Oracle Retail Store Inventory Management | =16.0.3 | |
Oracle Retail Xstore Point of Service | =15.0.3 | |
Oracle Retail Xstore Point of Service | =16.0.5 | |
Oracle Retail Xstore Point of Service | =17.0.3 | |
Oracle Retail Xstore Point of Service | =18.0.2 | |
Oracle Retail Xstore Point of Service | =19.0.1 | |
Oracle Storagetek Acsls | =8.5.1 | |
Oracle Storagetek Tape Analytics Sw Tool | =2.3 | |
Oracle WebLogic Server | =10.3.6.0.0 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3739 is a vulnerability in RSA BSAFE Crypto-J versions prior to 6.2.5 that allows for information exposure through timing discrepancies during ECDSA key generation.
RSA BSAFE Crypto-J versions prior to 6.2.5, Dell Bsafe Cert-j, Dell Bsafe Crypto-j, Dell BSAFE SSL-J, Oracle Application Performance Management 13.3.0.0 and 13.4.0.0, Oracle Communications Network Integrity 7.3.2, 7.3.5, and 7.3.6, Oracle Database 12.1.0.2, 12.2.0.1, 18c, and 19c, Oracle GoldenGate up to 19.1.0.0.0.210420, Oracle Retail Assortment Planning 15.0.3.0 and 16.0.3.0, Oracle Retail Integration Bus 14.1, 15.0, and 16.0, Oracle Retail Predictive Application Server 14.1.3.0, 15.0.3.0, and 16.0.3.0, Oracle Retail Service Backbone 14.1, 15.0, and 16.0, Oracle Retail Store Inventory Management 14.0.4, 14.1.3, 15.0.3, and 16.0.3, Oracle Retail Xstore Point of Service 15.0.3, 16.0.5, 17.0.3, 18.0.2, and 19.0.1, Oracle Storagetek Acsls 8.5.1, Oracle Storagetek Tape Analytics Sw Tool 2.3, Oracle WebLogic Server 10.3.6.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
CVE-2019-3739 has a severity rating of 6.5 (Medium).
A malicious remote attacker could potentially exploit CVE-2019-3739 to recover ECDSA keys by taking advantage of information exposure through timing discrepancies during ECDSA key generation.
Yes, you can find references for CVE-2019-3739 at the following links: [Reference 1](https://www.dell.com/support/security/en-us/details/DOC-106556/DSA-2019-094-RSA-BSAFE®-Crypto-J-Multiple-Security-Vulnerabilities), [Reference 2](https://www.oracle.com//security-alerts/cpujul2021.html), [Reference 3](https://www.oracle.com/security-alerts/cpuApr2021.html).