You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
David Hook edited this page Aug 16, 2025
·
5 revisions
Possible DOS in processing specially formed ASN.1 Object Identifiers
Issue affecting: BC Java 1.00 to 1.77, BC-FJA 1.0.0 to BC-FJA 1.0.2.5, BC-FJA 2.0.0
Fixed versions: BC Java 1.78, BC-FJA 1.0.2.6, BC-FJA 2.0.1
Platform affected: All JVMs.
Creation of ASN.1 OIDs from encodings was uncapped, other than the maximum size of an ASN1Object. While, strictly speaking this is valid, it could be used for a DOS attack. In following the practice of other providers we have adopted a limit of 4096 bytes on the size of an encoded identifier and a cap of 16385 characters on an identifier string.
Issue does not apply to applications which do not consume unvetted, or otherwise unvalidated, ASN.1 encodings. Issue can be mitigated by placing a cap on the size of ASN.1 encodings that can be consumed from external sources in the "the wild", or by introducing some form of validation for such objects.