csaf_certbund - wid-sec-w-2024-1031

wid-sec-w-2024-1031

Vulnerability from csaf_certbund

Published

2024-05-05 22:00

Modified

2024-11-19 23:00

Summary

Bouncy Castle: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Bouncy Castle ist eine Kryptographie-API für Java.

Angriff

Ein anonymer Angreifer kann mehrere Schwachstellen in Bouncy Castle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen DNS-Poisoning-Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Bouncy Castle ist eine Kryptographie-API f\u00fcr Java.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein anonymer Angreifer kann mehrere Schwachstellen in Bouncy Castle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder einen DNS-Poisoning-Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1031 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1031.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1031 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1031"
      },
      {
        "category": "external",
        "summary": "Bouncy Castle Release Notes vom 2024-05-05",
        "url": "https://www.bouncycastle.org/latest_releases.html#LATEST"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugzilla vom 2024-05-05",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279227"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-05-05",
        "url": "https://github.com/advisories/GHSA-4h8f-2wvx-gg5w"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1539-1 vom 2024-05-11",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QZZU3EK7MCVS5TGBQL47TPFRCL6XR25J/"
      },
      {
        "category": "external",
        "summary": "PDFreactor 11 Hotfix Release vom 2024-06-13",
        "url": "https://www.pdfreactor.com/pdfreactor-11-hotfix-release-11-6-12-now-available/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1539-2 vom 2024-06-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NCEDYUZRBIYFFW6ATWOW33BSWPBY2U52/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7158960 vom 2024-06-27",
        "url": "https://www.ibm.com/support/pages/node/7158960"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4271 vom 2024-07-03",
        "url": "https://access.redhat.com/errata/RHSA-2024:4271"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4173 vom 2024-07-08",
        "url": "https://access.redhat.com/errata/RHSA-2024:4173"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7159714 vom 2024-07-05",
        "url": "https://www.ibm.com/support/pages/node/7159714"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4505 vom 2024-07-11",
        "url": "https://access.redhat.com/errata/RHSA-2024:4505"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7160134 vom 2024-07-12",
        "url": "https://www.ibm.com/support/pages/node/7160134"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4326 vom 2024-07-14",
        "url": "https://access.redhat.com/errata/RHSA-2024:4326"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:4884 vom 2024-07-26",
        "url": "https://access.redhat.com/errata/RHSA-2024:4884"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:5143 vom 2024-08-09",
        "url": "https://access.redhat.com/errata/RHSA-2024:5143"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:5144 vom 2024-08-09",
        "url": "https://access.redhat.com/errata/RHSA-2024:5144"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:5147 vom 2024-08-09",
        "url": "https://access.redhat.com/errata/RHSA-2024:5147"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:5145 vom 2024-08-09",
        "url": "https://access.redhat.com/errata/RHSA-2024:5145"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7165340 vom 2024-08-13",
        "url": "https://www.ibm.com/support/pages/node/7165340"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:5482 vom 2024-08-16",
        "url": "https://access.redhat.com/errata/RHSA-2024:5482"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:5481 vom 2024-08-16",
        "url": "https://access.redhat.com/errata/RHSA-2024:5481"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:5479 vom 2024-08-16",
        "url": "https://access.redhat.com/errata/RHSA-2024:5479"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7166617 vom 2024-08-26",
        "url": "https://www.ibm.com/support/pages/node/7166617"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7167111 vom 2024-09-03",
        "url": "https://www.ibm.com/support/pages/node/7167111"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7168235 vom 2024-09-12",
        "url": "https://www.ibm.com/support/pages/node/7168235"
      },
      {
        "category": "external",
        "summary": "Confluence Data Center Advisory",
        "url": "https://jira.atlassian.com/browse/CONFSERVER-97723"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7168754 vom 2024-09-17",
        "url": "https://www.ibm.com/support/pages/node/7168754"
      },
      {
        "category": "external",
        "summary": "Atlassian November 2024 Security Bulletin vom 2024-11-19",
        "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1456179091"
      }
    ],
    "source_lang": "en-US",
    "title": "Bouncy Castle: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-11-19T23:00:00.000+00:00",
      "generator": {
        "date": "2024-11-20T09:20:09.108+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.8"
        }
      },
      "id": "WID-SEC-W-2024-1031",
      "initial_release_date": "2024-05-05T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-05-05T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-05-12T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-12T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2024-06-18T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-26T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-07-02T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-07-07T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat und IBM aufgenommen"
        },
        {
          "date": "2024-07-11T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-07-14T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-07-25T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-08-08T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-08-13T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-08-15T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-08-25T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-09-03T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-09-11T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-09-17T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-11-19T23:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates aufgenommen"
        }
      ],
      "status": "final",
      "version": "18"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Atlassian Bitbucket",
            "product": {
              "name": "Atlassian Bitbucket",
              "product_id": "T021356",
              "product_identification_helper": {
                "cpe": "cpe:/a:atlassian:bitbucket:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.9.4",
                "product": {
                  "name": "Atlassian Confluence \u003c8.9.4",
                  "product_id": "T036294"
                }
              },
              {
                "category": "product_version",
                "name": "8.9.4",
                "product": {
                  "name": "Atlassian Confluence 8.9.4",
                  "product_id": "T036294-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center__8.9.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.5.12",
                "product": {
                  "name": "Atlassian Confluence \u003c8.5.12",
                  "product_id": "T036295"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.12",
                "product": {
                  "name": "Atlassian Confluence 8.5.12",
                  "product_id": "T036295-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center_and_server__8.5.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.0.1",
                "product": {
                  "name": "Atlassian Confluence \u003c9.0.1",
                  "product_id": "T036970"
                }
              },
              {
                "category": "product_version",
                "name": "9.0.1",
                "product": {
                  "name": "Atlassian Confluence 9.0.1",
                  "product_id": "T036970-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:9.0.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.19.26",
                "product": {
                  "name": "Atlassian Confluence \u003c7.19.26",
                  "product_id": "T036972"
                }
              },
              {
                "category": "product_version",
                "name": "7.19.26",
                "product": {
                  "name": "Atlassian Confluence 7.19.26",
                  "product_id": "T036972-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:7.19.26"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Confluence"
          }
        ],
        "category": "vendor",
        "name": "Atlassian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM DB2",
            "product": {
              "name": "IBM DB2",
              "product_id": "5104",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:db2:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9.2",
                "product": {
                  "name": "IBM License Metric Tool 9.2",
                  "product_id": "T031605",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:license_metric_tool:9.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "License Metric Tool"
          },
          {
            "category": "product_name",
            "name": "IBM MQ",
            "product": {
              "name": "IBM MQ",
              "product_id": "T021398",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:mq:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP9",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP9",
                  "product_id": "T036127"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP9",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP9",
                  "product_id": "T036127-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          },
          {
            "category": "product_name",
            "name": "IBM Security Guardium",
            "product": {
              "name": "IBM Security Guardium",
              "product_id": "T021345",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:security_guardium:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.2.1.0",
                "product": {
                  "name": "IBM Storage Scale \u003c5.2.1.0",
                  "product_id": "T037080"
                }
              },
              {
                "category": "product_version",
                "name": "5.2.1.0",
                "product": {
                  "name": "IBM Storage Scale 5.2.1.0",
                  "product_id": "T037080-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_scale:5.2.1.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.1.9.5",
                "product": {
                  "name": "IBM Storage Scale \u003c5.1.9.5",
                  "product_id": "T037081"
                }
              },
              {
                "category": "product_version",
                "name": "5.1.9.5",
                "product": {
                  "name": "IBM Storage Scale 5.1.9.5",
                  "product_id": "T037081-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_scale:5.1.9.5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "5.1.0.0-5.1.9.4",
                "product": {
                  "name": "IBM Storage Scale 5.1.0.0-5.1.9.4",
                  "product_id": "T037717",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_scale:5.1.0.0_-_5.1.9.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Storage Scale"
          },
          {
            "category": "product_name",
            "name": "IBM Tivoli Key Lifecycle Manager",
            "product": {
              "name": "IBM Tivoli Key Lifecycle Manager",
              "product_id": "T026238",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:tivoli_key_lifecycle_manager:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.78.1",
                "product": {
                  "name": "Open Source Bouncy Castle \u003c1.78.1",
                  "product_id": "T034537"
                }
              },
              {
                "category": "product_version",
                "name": "1.78.1",
                "product": {
                  "name": "Open Source Bouncy Castle 1.78.1",
                  "product_id": "T034537-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.78.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Bouncy Castle"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c11.6.12",
                "product": {
                  "name": "RealObjects PDFreactor \u003c11.6.12",
                  "product_id": "T035425"
                }
              },
              {
                "category": "product_version",
                "name": "11.6.12",
                "product": {
                  "name": "RealObjects PDFreactor 11.6.12",
                  "product_id": "T035425-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:realobjects:pdfreactor:11.6.12"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "PDFreactor"
          }
        ],
        "category": "vendor",
        "name": "RealObjects"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-29857",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in Bouncy Castle. Diese Fehler bestehen aufgrund einer Ressourcenersch\u00f6pfung, einer beobachtbaren Diskrepanz und eines Endlosschleifenproblems. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037717",
          "T035425",
          "67646",
          "T034537",
          "T036972",
          "T036127",
          "T036970",
          "T021345",
          "T021356",
          "T036294",
          "T036295",
          "T002207",
          "T037080",
          "T037081",
          "5104",
          "T031605",
          "T026238",
          "T021398"
        ]
      },
      "release_date": "2024-05-05T22:00:00.000+00:00",
      "title": "CVE-2024-29857"
    },
    {
      "cve": "CVE-2024-30171",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in Bouncy Castle. Diese Fehler bestehen aufgrund einer Ressourcenersch\u00f6pfung, einer beobachtbaren Diskrepanz und eines Endlosschleifenproblems. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037717",
          "T035425",
          "67646",
          "T034537",
          "T036972",
          "T036127",
          "T036970",
          "T021345",
          "T021356",
          "T036294",
          "T036295",
          "T002207",
          "T037080",
          "T037081",
          "5104",
          "T031605",
          "T026238",
          "T021398"
        ]
      },
      "release_date": "2024-05-05T22:00:00.000+00:00",
      "title": "CVE-2024-30171"
    },
    {
      "cve": "CVE-2024-30172",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in Bouncy Castle. Diese Fehler bestehen aufgrund einer Ressourcenersch\u00f6pfung, einer beobachtbaren Diskrepanz und eines Endlosschleifenproblems. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037717",
          "T035425",
          "67646",
          "T034537",
          "T036972",
          "T036127",
          "T036970",
          "T021345",
          "T021356",
          "T036294",
          "T036295",
          "T002207",
          "T037080",
          "T037081",
          "5104",
          "T031605",
          "T026238",
          "T021398"
        ]
      },
      "release_date": "2024-05-05T22:00:00.000+00:00",
      "title": "CVE-2024-30172"
    },
    {
      "cve": "CVE-2024-34447",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Bouncy Castle. Dieser Fehler besteht in den Java Cryptography APIs aufgrund eines \u201eUse of Incorrectly-Resolved Name\u201c-Problems, das die \u00dcberpr\u00fcfung von Hostnamen anhand einer DNS-aufgel\u00f6sten IP-Adresse erm\u00f6glicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen DNS-Poisoning-Angriff durchzuf\u00fchren und so die Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037717",
          "T035425",
          "67646",
          "T034537",
          "T036972",
          "T036127",
          "T036970",
          "T021345",
          "T021356",
          "T036294",
          "T036295",
          "T002207",
          "T037080",
          "T037081",
          "5104",
          "T031605",
          "T026238",
          "T021398"
        ]
      },
      "release_date": "2024-05-05T22:00:00.000+00:00",
      "title": "CVE-2024-34447"
    }
  ]
}

cve-2024-34447

Vulnerability from cvelistv5

Published

2024-05-03 00:00

Modified

2024-08-02 02:51

Severity ?

Summary

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

▼	URL	Tags
	https://www.bouncycastle.org/latest_releases.html
	https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
	https://security.netapp.com/advisory/ntap-20240614-0007/

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34447",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-16T18:10:40.780151Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:42:12.612Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:51:11.426Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bouncycastle.org/latest_releases.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240614-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-14T13:06:15.072962",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.bouncycastle.org/latest_releases.html"
        },
        {
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240614-0007/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-34447",
    "datePublished": "2024-05-03T00:00:00",
    "dateReserved": "2024-05-03T00:00:00",
    "dateUpdated": "2024-08-02T02:51:11.426Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-29857

Vulnerability from cvelistv5

Published

Modified

2024-12-06 13:09

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

References

▼	URL	Tags
	https://www.bouncycastle.org/latest_releases.html
	https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857
	https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-12-06T13:09:29.357Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bouncycastle.org/latest_releases.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241206-0008/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:bouncycastle:bc-java:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "bc-java",
            "vendor": "bouncycastle",
            "versions": [
              {
                "lessThanOrEqual": "1.77",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:bouncycastle:bc-fja:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "bc-fja",
            "vendor": "bouncycastle",
            "versions": [
              {
                "lessThanOrEqual": "1.0.2.4",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:bouncycastle:bc_c_.net:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "bc_c_.net",
            "vendor": "bouncycastle",
            "versions": [
              {
                "lessThanOrEqual": "2.3.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-29857",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-13T19:32:50.624122Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T18:48:02.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-13T16:50:06.548191",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.bouncycastle.org/latest_releases.html"
        },
        {
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857"
        },
        {
          "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-29857",
    "dateUpdated": "2024-12-06T13:09:29.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-30172

Vulnerability from cvelistv5

Published

2024-05-09 00:00

Modified

2024-11-05 17:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

References

▼	URL	Tags
	https://www.bouncycastle.org/latest_releases.html
	https://security.netapp.com/advisory/ntap-20240614-0007/

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "legion-of-the-bouncy-castle-java-crytography-api",
            "vendor": "bouncycastle",
            "versions": [
              {
                "lessThan": "1.78",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-30172",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-05T13:44:28.294090Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T17:15:29.205Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:25:03.425Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bouncycastle.org/latest_releases.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240614-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-14T13:06:13.419504",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.bouncycastle.org/latest_releases.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240614-0007/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-30172",
    "datePublished": "2024-05-09T00:00:00",
    "dateReserved": "2024-03-24T00:00:00",
    "dateUpdated": "2024-11-05T17:15:29.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-30171

Vulnerability from cvelistv5

Published

2024-05-09 00:00

Modified

2024-08-19 17:18

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

References

▼	URL	Tags
	https://www.bouncycastle.org/latest_releases.html
	https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171
	https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171
	https://security.netapp.com/advisory/ntap-20240614-0008/

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:25:02.988Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bouncycastle.org/latest_releases.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240614-0008/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:bouncycastle:bouncy_castle_for_java:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "bouncy_castle_for_java",
            "vendor": "bouncycastle",
            "versions": [
              {
                "lessThan": "1.78",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "active_iq_unified_manager",
            "vendor": "netapp",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "bluexp",
            "vendor": "netapp",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:netapp:ontap_tools:-:*:*:*:*:vmware_vsphere:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ontap_tools",
            "vendor": "netapp",
            "versions": [
              {
                "status": "affected",
                "version": "9"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:netapp:oncommand_workflow_automation:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "oncommand_workflow_automation",
            "vendor": "netapp",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.9,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-30171",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-19T17:18:15.455507Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-203",
                "description": "CWE-203 Observable Discrepancy",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-19T17:18:20.969Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-14T13:06:05.488818",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.bouncycastle.org/latest_releases.html"
        },
        {
          "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171"
        },
        {
          "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240614-0008/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-30171",
    "datePublished": "2024-05-09T00:00:00",
    "dateReserved": "2024-03-24T00:00:00",
    "dateUpdated": "2024-08-19T17:18:20.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

wid-sec-w-2024-1031

Vulnerability from csaf_certbund

cve-2024-34447

Vulnerability from cvelistv5

cve-2024-29857

Vulnerability from cvelistv5

cve-2024-30172

Vulnerability from cvelistv5

cve-2024-30171

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature