Security Bulletin: Multiple vulnerabilities in Bouncy Castle API affect IBM License Metric Tool v9.

Summary

IBM License Metric Tool is affected by Bouncy Castle Cryptography vulnerabilities.

Vulnerability Details

CVEID:CVE-2018-1000613
**DESCRIPTION:**Legion of the Bouncy Castle Java Cryptography APIs could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe reflection flaw in XMSS/XMSS^MT private key deserialization. By using specially-crafted private key, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148041 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-1000180
**DESCRIPTION:**Bouncy Castle could provide weaker than expected security, caused by an error in the Low-level interface to RSA key pair generator. The RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/144810 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Upgrade to version 9.2.19 or later using the following procedure:

• In BigFix console, expand IBM License Reporting (ILMT) node under Sites node in the tree panel.
• Click Fixlets and Tasks node. Fixlets and Tasks panel will be displayed on the right.
• In the Fixlets and Tasks panel locate _Upgrade to the latest version of IBM License Metric Tool _9.x fixlet and run it against the computer that hosts your server.

Workarounds and Mitigations

None