Bug 2387790 (CVE-2025-8885)

Summary: CVE-2025-8885 bouncycastle: Bouncy Castle denial of service parsing ASN.1 Object Identifiers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, anstephe, anthomas, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dbruscin, dfreiber, dhanak, dkreling, dosoudil, drosa, drow, eaguilar, ebaron, ehelms, eric.wittmann, fjuma, fmariani, fmongiar, ggainey, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jkoehler, jmartisk, jmoroney, jnethert, jolong, jpechane, jpoth, jrokos, jscholz, juwatts, kvanderr, kverlaen, lgao, lphiri, lthon, manderse, mhulan, mnovotny, mosmerov, mposolda, msochure, msvehla, nipatil, nmoumoul, nwallace, olubyans, osousa, pantinor, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, redhat-bugzilla, rguimara, rkubis, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthorger, swoodman, tcunning, tmalecek, tom.jenkinson, tqvarnst, vkumar, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---Flags: redhat-bugzilla: needinfo? (jmoroney)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A resource exhaustion flaw has been discovered in the Bouncy Castle for Java library. The flaw exists because there was no practical limit on the size of an encoded ASN.1 Object Identifier (OID), beyond the maximum size of an ASN1Object. While technically valid, this could be exploited by an attacker to create excessively large OIDs, which would cause uncontrolled memory consumption and lead to a denial of service (DoS) attack. In following the practice of other providers, we have adopted a limit of 4096 bytes on the size of an encoded identifier and a cap of 16385 characters on an identifier string.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2388023, 2388028, 2388032, 2388033, 2388022, 2388024, 2388025, 2388026, 2388027, 2388029, 2388030, 2388031, 2388034    
Bug Blocks:    

Description OSIDB Bzimport 2025-08-12 10:01:24 UTC 
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java.

This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 2.0.0.
Comment 2 Robert Scheck 2025-08-12 20:02:45 UTC 
Jon, why did you file a report against the pdftk-java RPM package? The security flaw is in the bouncycastle RPM package, if I am not completely mistaken…