DSA-2019-094: RSA BSAFE Crypto-J Multiple Security Vulnerabilities

Resumen: RSA BSAFE Crypto-J contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.

Este artículo se aplica a Este artículo no se aplica a Este artículo no está vinculado a ningún producto específico. No se identifican todas las versiones del producto en este artículo.
Consulte estos recursos

Impacto

Medium

Detalles

  • Missing Required Cryptographic Step – CVE-2019-3738
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3739
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3740
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
  • Missing Required Cryptographic Step – CVE-2019-3738
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing Required Cryptographic Step vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3739
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
 
  • Information Exposure Through Timing Discrepancy – CVE-2019-3740
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
 
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) – Medium
Dell Technologies recomienda que todos los clientes tengan en cuenta tanto la puntuación base como cualquier otra puntuación ambiental y temporal relevante que pueda afectar la posible gravedad asociada con la vulnerabilidad de seguridad en particular.

Corrección y productos afectados

Affected Products

  • RSA BSAFE Crypto-J versions prior to 6.2.5
  • RSA BSAFE SSL-J, all currently supported versions where 6.2.4.1 is the most recent release as of this advisory
  • RSA BSAFE Cert-J, all currently supported versions where 6.2.4 is the most recent release as of this advisory

Remediation


The following RSA BSAFE Crypto-J release contains resolutions to these vulnerabilities:
  • RSA BSAFE Crypto-J 6.2.5mo 
RSA recommends all customers upgrade Crypto-J at the earliest opportunity.
 
As RSA BSAFE SSL-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE SSL-J 6.2.4.x which supports using Crypto-J 6.2.5. Future releases of SSL-J 6.2.4.x will include Crypto-J 6.2.5.
 
As RSA BSAFE Cert-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE Cert-J 6.2.4 which supports using Crypto-J 6.2.5. Future releases of Cert-J will include Crypto-J 6.2.5.

 

For additional documentation, downloads and more, visit the RSA BSAFE page on RSA Link.

Affected Products

  • RSA BSAFE Crypto-J versions prior to 6.2.5
  • RSA BSAFE SSL-J, all currently supported versions where 6.2.4.1 is the most recent release as of this advisory
  • RSA BSAFE Cert-J, all currently supported versions where 6.2.4 is the most recent release as of this advisory

Remediation


The following RSA BSAFE Crypto-J release contains resolutions to these vulnerabilities:
  • RSA BSAFE Crypto-J 6.2.5mo 
RSA recommends all customers upgrade Crypto-J at the earliest opportunity.
 
As RSA BSAFE SSL-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE SSL-J 6.2.4.x which supports using Crypto-J 6.2.5. Future releases of SSL-J 6.2.4.x will include Crypto-J 6.2.5.
 
As RSA BSAFE Cert-J uses Crypto-J for all cryptographic operations, RSA recommends all customers to upgrade to BSAFE Cert-J 6.2.4 which supports using Crypto-J 6.2.5. Future releases of Cert-J will include Crypto-J 6.2.5.

 

For additional documentation, downloads and more, visit the RSA BSAFE page on RSA Link.

Reconocimientos

RSA would like to thank Antonio Sanso for reporting CVE -2019-3739 and CVE-2019-3740.

Información relacionada

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Descargo de responsabilidad

Productos afectados

BSAFE Crypto-J, Product Security Information
Propiedades del artículo
Número del artículo: 000180998
Tipo de artículo: Dell Security Advisory
Última modificación: 18 sept 2025
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.