CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on #29660

github-actions · 2024-05-18T00:20:01Z

CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on
org.bouncycastle:bcprov-jdk18on
Introduced through: org.keycloak:keycloak-operator@999.0.0-SNAPSHOT › org.bouncycastle:bcprov-jdk18on@1.77

Overview

Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.

Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.

References

The text was updated successfully, but these errors were encountered:

abstractj · 2024-05-20T12:55:45Z

Duplicate.

github-actions bot added kind/bug Categorizes a PR related to a bug kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected status/triage labels May 18, 2024

abstractj closed this as not planned Won't fix, can't repro, duplicate, stale May 20, 2024

keycloak-github-bot bot removed the status/triage label May 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on #29660

CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on #29660

github-actions bot commented May 18, 2024

abstractj commented May 20, 2024

CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on #29660

CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on #29660

Comments

github-actions bot commented May 18, 2024

Overview

Remediation

References

abstractj commented May 20, 2024