You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
David Hook edited this page May 10, 2024
·
1 revision
Issue affecting: BC Java 1.72 and earlier. BC-FJA 1.0.2.3 and earlier.
Fixed versions: BC Java 1.73. BC-FJA 1.0.2.4.
Platform affected: All JVMs.
Bouncy Castle for Java 1.72 and earlier contains a potential Denial of Service (DoS) issue within the Bouncy Castle
org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and
PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.
The attack can be avoided by either updating or filtering PEM requests containing EXTERNAL tagged encodings. While the issue did show up with PEM parsing it eventually turned out that it was a side-effect of a method in the ASN.1 SET class which is fixed in the following commit: