CVE-2018-1000613

Name of the Vulnerable Software and Affected Versions Legion of the Bouncy Castle Java Cryptography APIs versions 1.57 through 1.59

Description The issue is related to the deserialization of XMSS/XMSS^MT private keys, which can result in the execution of unexpected code. This is due to the use of externally-controlled input to select classes or code, also known as 'Unsafe Reflection'. An attacker can exploit this by creating a handcrafted private key that includes references to unexpected classes, which will be picked up from the class path for the executing application.

Recommendations For versions 1.57 through 1.59, update to version 1.60 or later to resolve the issue. As a temporary workaround, consider restricting the use of XMSS/XMSS^MT private key deserialization until a patch is available. Avoid using handcrafted private keys that include references to unexpected classes in the affected API endpoints until the issue is resolved.