#VU89221 Insufficient verification of data authenticity in The Bouncy Castle Crypto Package For Java


Published: 2024-05-07 | Updated: 2024-06-28

Vulnerability identifier: #VU89221

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-34447

CWE-ID: CWE-345

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
The Bouncy Castle Crypto Package For Java
Universal components / Libraries / Libraries used by multiple products

Vendor: Legion of the Bouncy Castle Inc.

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to hostname verification is performed against a DNS-resolved IP address when endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname. A remote attacker can bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

The Bouncy Castle Crypto Package For Java: 1.0 - 1.77

External links
http://www.bouncycastle.org/releasenotes.html#1.78

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Storage Defender - Resiliency Service
Insufficient verification of data authenticity in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 
Amazon Linux AMI update for bouncycastle
Multiple vulnerabilities in IBM Cloud Pak for Network Automation
Multiple vulnerabilities in IBM Cloud Pak for AIOps
Multiple vulnerabilities in IBM Log Analysis
Insufficient verification of data authenticity in insufficient verification of data authenticity
Multiple vulnerabilities in Bouncy Castle Crypto Package For Java