Bug 2256406 (CVE-2022-45146) - CVE-2022-45146 bouncy-castle: Improper Authentication
Summary: CVE-2022-45146 bouncy-castle: Improper Authentication
Keywords:
Status: NEW
Alias: CVE-2022-45146
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2256407
TreeView+ depends on / blocked
 
Reported: 2024-01-02 05:22 UTC by Avinash Hanwate
Modified: 2024-01-29 14:20 UTC (History)
52 users (show)

Fixed In Version: org.bouncycastle-bc-fips 1.0.2.4
Doc Type: ---
Doc Text:
A flaw was found in the FIPS Java API of Bouncy Castle BC-FJA. Affected versions of this package are vulnerable to Improper Authentication. Changes to the JVM garbage collector in Java 13 and later can trigger an issue in the BC-FJA FIPS modules, where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2024-01-02 05:22:33 UTC 
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS-compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.

https://www.bouncycastle.org/latest_releases.html
https://github.com/bcgit/bc-java/wiki/CVE-2022-45146
Note You need to log in before you can comment on or make changes to this bug.