Описание
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcprov, bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java.
This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 1.0.2.5, from BC-FJA 2.0.0 through 2.0.0.
A resource exhaustion flaw has been discovered in the Bouncy Castle for Java library. The flaw exists because there was no practical limit on the size of an encoded ASN.1 Object Identifier (OID), beyond the maximum size of an ASN1Object. While technically valid, this could be exploited by an attacker to create excessively large OIDs, which would cause uncontrolled memory consumption and lead to a denial of service (DoS) attack.
In following the practice of other providers, we have adopted a limit of 4096 bytes on the size of an encoded identifier and a cap of 16385 characters on an identifier string.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | bcpg-jdk18on | Fix deferred | ||
| AMQ Clients | bcpkix-jdk15on | Fix deferred | ||
| AMQ Clients | bcpkix-jdk18on | Fix deferred | ||
| AMQ Clients | bcprov-jdk15on | Fix deferred | ||
| AMQ Clients | bcprov-jdk18on | Fix deferred | ||
| AMQ Clients | bctls-jdk15on | Fix deferred | ||
| AMQ Clients | bcutil-jdk15on | Fix deferred | ||
| AMQ Clients | bcutil-jdk18on | Fix deferred | ||
| Cryostat 4 | bcpkix-jdk18on | Fix deferred | ||
| Cryostat 4 | bcprov-jdk18on | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java. This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 2.0.0.
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcprov, bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java. This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 1.0.2.5, from BC-FJA 2.0.0 through 2.0.0.
Allocation of Resources Without Limits or Throttling vulnerability in ...
Bouncy Castle for Java on All (API modules) allows Excessive Allocation
EPSS
5.3 Medium
CVSS3