Bug 2293028 (CVE-2024-29857)

Summary: CVE-2024-29857 org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, anstephe, arnavarr, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dkreling, dosoudil, dpalmer, drichtar, eaguilar, ebaron, fjuma, fmariani, fmongiar, gmalinko, gsmet, hamadhan, istudens, ivassile, iweiss, janstey, jkang, jkoops, jmartisk, jnethert, jolong, jpallich, jpoth, jross, jscholz, lgao, lthon, manderse, max.andersen, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rkieley, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdouglas, sfroberg, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: BC Java 1.78 Doc Type: ---
Doc Text:
A vulnerability was found in Bouncy Castle. An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java). Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2293027    

Description Patrick Del Bello 2024-06-19 03:36:37 UTC 
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857
https://www.bouncycastle.org/latest_releases.html
Comment 2 errata-xmlrpc 2024-07-02 16:24:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2024:4271 https://access.redhat.com/errata/RHSA-2024:4271
Comment 3 errata-xmlrpc 2024-07-08 14:13:09 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.8.5

Via RHSA-2024:4326 https://access.redhat.com/errata/RHSA-2024:4326
Comment 4 errata-xmlrpc 2024-07-11 12:28:31 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.4 for Quarkus 3.8

Via RHSA-2024:4505 https://access.redhat.com/errata/RHSA-2024:4505
Comment 6 errata-xmlrpc 2024-07-25 19:26:37 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.1 for Spring Boot

Via RHSA-2024:4884 https://access.redhat.com/errata/RHSA-2024:4884
Comment 7 errata-xmlrpc 2024-08-08 17:22:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:5145 https://access.redhat.com/errata/RHSA-2024:5145
Comment 8 errata-xmlrpc 2024-08-08 17:23:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:5143 https://access.redhat.com/errata/RHSA-2024:5143
Comment 9 errata-xmlrpc 2024-08-08 17:24:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:5144 https://access.redhat.com/errata/RHSA-2024:5144
Comment 10 errata-xmlrpc 2024-08-08 17:25:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:5147 https://access.redhat.com/errata/RHSA-2024:5147
Comment 11 errata-xmlrpc 2024-08-15 20:07:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:5482 https://access.redhat.com/errata/RHSA-2024:5482
Comment 12 errata-xmlrpc 2024-08-15 20:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:5479 https://access.redhat.com/errata/RHSA-2024:5479
Comment 13 errata-xmlrpc 2024-08-15 20:09:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:5481 https://access.redhat.com/errata/RHSA-2024:5481