[GHSA-4h8f-2wvx-gg5w] Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

[hmolsen]

Updates

• Affected products

Comments
We are using the FIPS-TLS version of bc and were surprised that we were seemingly not affected by this vulnerability, when we actually were affected (verified by code inspection).
The official advisory (https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447) clearly says that BC FIPS TLS Java <=1.0.18 and also the LTS versions are affected, but none of the advisories (MITRE, GHSA, NVD, ...) reflect this.

[helixplant]

Hi @hmolsen,
We are currently looking into this and trying to determine if FIPS-TLS and LTS are within GitHub Advisory Database's supported ecosystems. Would you be able to provide the package information or the vulnerable portion of the code so we can investigate further?

[hmolsen]

Hi @helixplant,

thank you for looking into this! From my point of view it is within your supported ecosystems. The link you provided lists

https://repo.maven.apache.org/maven2/

and you can find the FIPS-TLS under
https://repo.maven.apache.org/maven2/org/bouncycastle/bctls-fips/
Fix Version:
https://repo.maven.apache.org/maven2/org/bouncycastle/bctls-fips/1.0.19/

and the LTS version under
https://repo.maven.apache.org/maven2/org/bouncycastle/bctls-lts8on/
Fix Version:
https://repo.maven.apache.org/maven2/org/bouncycastle/bctls-lts8on/2.73.6/

Hope that helps!