-
Notifications
You must be signed in to change notification settings - Fork 1.1k
CVE‐2023‐33202
Issue affecting: BC Java 1.72 and earlier. BC-FJA 1.0.2.3 and earlier.
Fixed versions: BC Java 1.73. BC-FJA 1.0.2.4.
Platform affected: All JVMs.
Bouncy Castle for Java 1.72 and earlier contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.
The attack can be avoided by either updating or filtering PEM requests containing EXTERNAL tagged encodings. While the issue did show up with PEM parsing it eventually turned out that it was a side-effect of a method in the ASN.1 SET class which is fixed in the following commit:
https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c
We gratefully acknowledge assistance of the Amazon AWS Security Team in identifying this issue.