You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.
Remediation
Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.
CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on
org.bouncycastle:bcprov-jdk18on
Introduced through: org.keycloak:keycloak-operator@999.0.0-SNAPSHOT › org.bouncycastle:bcprov-jdk18on@1.77
Overview
Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.
Remediation
Upgrade
org.bouncycastle:bcprov-jdk18on
to version 1.78 or higher.References
The text was updated successfully, but these errors were encountered: