Bug 2251281 (CVE-2023-33202) - CVE-2023-33202 bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class [NEEDINFO]
Summary: CVE-2023-33202 bc-java: Out of memory while parsing ASN.1 crafted data in org...
Keywords:
Status: NEW
Alias: CVE-2023-33202
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2251282 2251283 2251284 2251285
Blocks: 2251287
TreeView+ depends on / blocked
 
Reported: 2023-11-23 20:33 UTC by Pedro Sampaio
Modified: 2024-04-06 12:04 UTC (History)
108 users (show)

Fixed In Version: bc-java 1.7.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.
Clone Of:
Environment:
Last Closed:
Embargoed:
aogburn: needinfo? (sabiswas)


Attachments (Terms of Use)

Description Pedro Sampaio 2023-11-23 20:33:17 UTC
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.

References:

https://bouncycastle.org
https://github.com/bcgit/bc-java/wiki/CVE-2023-33202

Comment 1 Pedro Sampaio 2023-11-23 20:52:44 UTC
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2251282]


Created openas2 tracking bugs for this issue:

Affects: fedora-all [bug 2251283]

Comment 2 Pedro Sampaio 2023-11-23 20:56:51 UTC
Created apache-sshd tracking bugs for this issue:

Affects: fedora-all [bug 2251284]

Comment 5 Vipul Nair 2024-01-08 11:43:44 UTC
after scouring the codebase,i don't see how satellite could possibly be affected by this vulnerability, marking this as not affected.


Note You need to log in before you can comment on or make changes to this bug.