CVE-2018-1000613 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-1000613 Interim 1 31 2023-06-22T00:37:34Z current 2021-05-30T14:20:41Z 2023-06-22T00:37:34Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-1000613 Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/opensuse-security-announce/2018-07/msg00048.html E-Mail link for openSUSE-SU-2018:2131-1 https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00003.html E-Mail link for openSUSE-SU-2018:2180-1 https://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html E-Mail link for openSUSE-SU-2020:0607-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 openSUSE Leap 15.0 openSUSE Leap 15.1 openSUSE Tumbleweed bouncycastle bouncycastle-1.60-lp150.2.3.1 bouncycastle-1.60-lp151.3.3.1 bouncycastle-1.64-1.63 bouncycastle-1.64-3.3.1 bouncycastle-1.68-3.2 bouncycastle-1.72-150200.3.12.1 bouncycastle-javadoc-1.60-lp150.2.3.1 bouncycastle-javadoc-1.60-lp151.3.3.1 bouncycastle-javadoc-1.68-3.2 bouncycastle-mail-1.68-3.2 bouncycastle-pg bouncycastle-pg-1.64-1.63 bouncycastle-pg-1.64-3.3.1 bouncycastle-pg-1.68-3.2 bouncycastle-pg-1.72-150200.3.12.1 bouncycastle-pkix-1.68-3.2 bouncycastle-pkix-1.72-150200.3.12.1 bouncycastle-tls-1.68-3.2 bouncycastle-util-1.72-150200.3.12.1 bouncycastle-1.64-1.63 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 bouncycastle-pg-1.64-1.63 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 bouncycastle-1.64-1.63 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 bouncycastle-pg-1.64-1.63 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 bouncycastle-1.64-3.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 bouncycastle-pg-1.64-3.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 bouncycastle-1.72-150200.3.12.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 bouncycastle-pg-1.72-150200.3.12.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 bouncycastle-pkix-1.72-150200.3.12.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 bouncycastle-util-1.72-150200.3.12.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 bouncycastle-1.60-lp150.2.3.1 as a component of openSUSE Leap 15.0 bouncycastle-javadoc-1.60-lp150.2.3.1 as a component of openSUSE Leap 15.0 bouncycastle-1.60-lp151.3.3.1 as a component of openSUSE Leap 15.1 bouncycastle-javadoc-1.60-lp151.3.3.1 as a component of openSUSE Leap 15.1 bouncycastle-1.68-3.2 as a component of openSUSE Tumbleweed bouncycastle-javadoc-1.68-3.2 as a component of openSUSE Tumbleweed bouncycastle-mail-1.68-3.2 as a component of openSUSE Tumbleweed bouncycastle-pg-1.68-3.2 as a component of openSUSE Tumbleweed bouncycastle-pkix-1.68-3.2 as a component of openSUSE Tumbleweed bouncycastle-tls-1.68-3.2 as a component of openSUSE Tumbleweed bouncycastle as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 bouncycastle-pg as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later. CVE-2018-1000613 SUSE Linux Enterprise Module for Development Tools 15 SP2:bouncycastle-1.64-1.63 SUSE Linux Enterprise Module for Development Tools 15 SP2:bouncycastle-pg-1.64-1.63 SUSE Linux Enterprise Module for Development Tools 15 SP3:bouncycastle-1.64-1.63 SUSE Linux Enterprise Module for Development Tools 15 SP3:bouncycastle-pg-1.64-1.63 SUSE Linux Enterprise Module for Development Tools 15 SP4:bouncycastle-1.64-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:bouncycastle-pg-1.64-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:bouncycastle-1.72-150200.3.12.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:bouncycastle-pg-1.72-150200.3.12.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:bouncycastle-pkix-1.72-150200.3.12.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:bouncycastle-util-1.72-150200.3.12.1 openSUSE Leap 15.0:bouncycastle-1.60-lp150.2.3.1 openSUSE Leap 15.0:bouncycastle-javadoc-1.60-lp150.2.3.1 openSUSE Leap 15.1:bouncycastle-1.60-lp151.3.3.1 openSUSE Leap 15.1:bouncycastle-javadoc-1.60-lp151.3.3.1 openSUSE Tumbleweed:bouncycastle-1.68-3.2 openSUSE Tumbleweed:bouncycastle-javadoc-1.68-3.2 openSUSE Tumbleweed:bouncycastle-mail-1.68-3.2 openSUSE Tumbleweed:bouncycastle-pg-1.68-3.2 openSUSE Tumbleweed:bouncycastle-pkix-1.68-3.2 openSUSE Tumbleweed:bouncycastle-tls-1.68-3.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:bouncycastle SUSE Linux Enterprise Module for Development Tools 15 SP2:bouncycastle-pg moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L