Bug 2251281 (CVE-2023-33202)

Summary: CVE-2023-33202 bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, anstephe, aogburn, asatyam, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, diagrawa, dkreling, dosoudil, drichtar, dsimansk, ehelms, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jcantril, jmartisk, jnethert, jolee, jpechane, jpoth, jrokos, jschatte, jscholz, jsherril, jstastny, kverlaen, lball, lgao, lthon, lzap, matzew, max.andersen, mhulan, michal.skrivanek, mnovotny, mosmerov, mperina, msochure, mstefank, msvehla, mulliken, nmoumoul, nwallace, olubyans, orabin, pantinor, pcongius, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rguimara, rhuss, rjohnson, rkieley, rowaters, rruss, rstancel, rsvoboda, sabiswas, sbiarozk, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---Flags: aogburn: needinfo? (sabiswas)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bc-java 1.7.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2251282, 2251283, 2251284, 2251285    
Bug Blocks: 2251287    

Description Pedro Sampaio 2023-11-23 20:33:17 UTC 
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.

References:

https://bouncycastle.org
https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
Comment 1 Pedro Sampaio 2023-11-23 20:52:44 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2251282]


Created openas2 tracking bugs for this issue:

Affects: fedora-all [bug 2251283]
Comment 2 Pedro Sampaio 2023-11-23 20:56:51 UTC 
Created apache-sshd tracking bugs for this issue:

Affects: fedora-all [bug 2251284]
Comment 5 Vipul Nair 2024-01-08 11:43:44 UTC 
after scouring the codebase,i don't see how satellite could possibly be affected by this vulnerability, marking this as not affected.
Comment 13 errata-xmlrpc 2024-05-30 20:25:30 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.7.0

Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527