A flaw was found in Legion of the Bouncy Castle Java Cryptography APIs version prior to 1.60. A lack of class checking in the deserialization of XMSS/XMSS^MT private keys with BDS state information can result in the execution of unexpected code. References: https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574 https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc
Created bouncycastle tracking bugs for this issue: Affects: epel-all [bug 1601099] Affects: fedora-all [bug 1601098]
Statement: The XMSS/XMSS^MT algorithms were first introduced in upstream bouncycastle version 1.57. Versions prior to this, that have not had the new algorithms back-ported, are not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1000613