Описание
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java .
This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.
A resource exhaustion flaw has been discovered in the Bouncy Castle for Java library. The flaw exists because there was no practical limit on the size of an encoded ASN.1 Object Identifier (OID), beyond the maximum size of an ASN1Object. While technically valid, this could be exploited by an attacker to create excessively large OIDs, which would cause uncontrolled memory consumption and lead to a denial of service (DoS) attack.
In following the practice of other providers, we have adopted a limit of 4096 bytes on the size of an encoded identifier and a cap of 16385 characters on an identifier string.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | bcpkix-jdk18on | Fix deferred | ||
| Cryostat 4 | bcprov-jdk18on | Fix deferred | ||
| Cryostat 4 | bcutil-jdk18on | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | bcmail-jdk15on | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | bcpg-jdk15on | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | bcpkix-jdk15on | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | bcprov-jdk15on | Fix deferred | ||
| Red Hat AMQ Broker 7 | bcpkix-jdk15on | Not affected | ||
| Red Hat AMQ Broker 7 | bcpkix-jdk18on | Not affected | ||
| Red Hat AMQ Broker 7 | bcprov-jdk15on | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java . This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java . This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.
Allocation of Resources Without Limits or Throttling vulnerability in ...
Bouncy Castle for Java on All (API modules) allows Excessive Allocation
EPSS
5.3 Medium
CVSS3