Bug 2279227 (CVE-2024-34447)

Summary: CVE-2024-34447 org.bouncycastle: Use of Incorrectly-Resolved Name or Reference
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anstephe, arnavarr, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bihu, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dkreling, dosoudil, drichtar, fjuma, fmariani, gmalinko, gsmet, hamadhan, istudens, ivassile, iweiss, janstey, jcantril, jkoops, jmartisk, jpoth, lgao, lthon, manderse, max.andersen, mosmerov, mposolda, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rjohnson, rkieley, rmartinc, rojacob, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdouglas, smaestri, ssilvert, sthorger, tcunning, tom.jenkinson, tqvarnst, vmuzikar, wfink, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: BC 1.78 Doc Type: ---
Doc Text:
A flaw was found in Bouncy Castle Java Cryptography APIs. Affected versions of this package are vulnerable to a use of incorrectly-resolved name or reference issue when resolving domain names over an SSL socket that was created without an explicit hostname, such as in the HttpsURLConnection() function. If endpoint identification is enabled, this flow allows an attacker to trigger hostname verification against a DNS-resolved address.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2279228    

Description Avinash Hanwate 2024-05-06 03:30:28 UTC 
An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

https://www.bouncycastle.org/latest_releases.html
Comment 4 errata-xmlrpc 2024-07-02 16:23:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2024:4271 https://access.redhat.com/errata/RHSA-2024:4271
Comment 5 errata-xmlrpc 2024-07-08 14:12:58 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.8.5

Via RHSA-2024:4326 https://access.redhat.com/errata/RHSA-2024:4326