CVE-2018-1000613
Use of Externally-Controlled Input to Select Classes or Code vulnerability in org.bouncycastle:bcprov-jdk15on
What is CVE-2018-1000613 About?
This vulnerability is an 'Unsafe Reflection' issue in Legion of the Bouncy Castle Java Cryptography APIs related to XMSS/XMSS^MT private key deserialization. It allows for the execution of unexpected code due to externally-controlled input, enabling remote code execution. Exploitation requires a handcrafted malicious private key.
Affected Software
Technical Details
The vulnerability stems from insecure deserialization during the loading of XMSS/XMSS^MT private key files. When a private key is deserialized, the application uses externally-controlled input to select classes or code, specifically allowing references to arbitrary classes to be picked up from the classpath. An attacker can craft a malicious private key file that includes references to unexpected or harmful classes. When the application attempts to deserialize this private key, it will instantiate and execute code from these attacker-controlled classes, leading to arbitrary code execution.
What is the Impact of CVE-2018-1000613?
Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control of the affected system, and compromise data confidentiality, integrity, and availability.
What is the Exploitability of CVE-2018-1000613?
Exploitation requires the attacker to provide a handcrafted private key that references malicious classes. The complexity is high, as it requires detailed knowledge of Java deserialization vulnerabilities and the application's classpath. No specific authentication is mentioned or appears to be required for the deserialization process itself, assuming the attacker can inject the malicious private key. This is likely a remote exploitation scenario if an attacker can upload or provide a malicious private key file, or local if they have write access to such files. The primary risk factor is the application's handling of untrusted serialized data without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1000613?
Available Upgrade Options
- org.bouncycastle:bcprov-jdk15on
- >1.57, <1.60 → Upgrade to 1.60
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9
- https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://osv.dev/vulnerability/GHSA-4446-656p-f54g
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574
What are Similar Vulnerabilities to CVE-2018-1000613?
Similar Vulnerabilities: CVE-2020-2564 , CVE-2019-10086 , CVE-2017-3506 , CVE-2017-3507 , CVE-2017-3241
