DSA-2019-094: RSA BSAFE Crypto-J Multiple Security Vulnerabilities

Summary: RSA BSAFE Crypto-J contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

Medium

Details

  • Missing Required Cryptographic Step – CVE-2019-3738
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3739
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3740
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
  • Missing Required Cryptographic Step – CVE-2019-3738
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3739
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3740
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

Affected Products

  • RSA BSAFE Crypto-J versions prior to 6.2.5
  • RSA BSAFE SSL-J, all currently supported versions where 6.2.4.1 is the most recent release as of this advisory
  • RSA BSAFE Cert-J, all currently supported versions where 6.2.4 is the most recent release as of this advisory

Remediation


The following RSA BSAFE Crypto-J release contains resolutions to these vulnerabilities:
  • RSA BSAFE Crypto-J 6.2.5mo 
RSA recommends all customers upgrade Crypto-J at the earliest opportunity.
 
As RSA BSAFE SSL-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE SSL-J 6.2.4.x which supports using Crypto-J 6.2.5. Future releases of SSL-J 6.2.4.x will include Crypto-J 6.2.5.
 
As RSA BSAFE Cert-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE Cert-J 6.2.4 which supports using Crypto-J 6.2.5. Future releases of Cert-J will include Crypto-J 6.2.5.

 

For additional documentation, downloads and more, visit the RSA BSAFE page on RSA Link.

Affected Products

  • RSA BSAFE Crypto-J versions prior to 6.2.5
  • RSA BSAFE SSL-J, all currently supported versions where 6.2.4.1 is the most recent release as of this advisory
  • RSA BSAFE Cert-J, all currently supported versions where 6.2.4 is the most recent release as of this advisory

Remediation


The following RSA BSAFE Crypto-J release contains resolutions to these vulnerabilities:
  • RSA BSAFE Crypto-J 6.2.5mo 
RSA recommends all customers upgrade Crypto-J at the earliest opportunity.
 
As RSA BSAFE SSL-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE SSL-J 6.2.4.x which supports using Crypto-J 6.2.5. Future releases of SSL-J 6.2.4.x will include Crypto-J 6.2.5.
 
As RSA BSAFE Cert-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE Cert-J 6.2.4 which supports using Crypto-J 6.2.5. Future releases of Cert-J will include Crypto-J 6.2.5.

 

For additional documentation, downloads and more, visit the RSA BSAFE page on RSA Link.

Acknowledgements

RSA would like to thank Antonio Sanso for reporting CVE -2019-3739 and CVE-2019-3740.

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

BSAFE Crypto-J, Product Security Information
Article Properties
Article Number: 000180998
Article Type: Dell Security Advisory
Last Modified: 18 Sep 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.