You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
David Hook edited this page Aug 29, 2025
·
5 revisions
Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer
Issue affecting: BC Java 1.44 to BC Java 1.78, BCPKIX FIPS 1.0.0 to BCPKIX FIPS 1.0.7, BCPKIX FIPS 2.0.0 to BCPKIX FIPS 2.0.7
Fixed versions: BC Java 1.79, BCPKIX FIPS 1.0.8, BCPKIX FIPS 2.0.8
Platform affected: All JVMs.
PKIXCertPathReviewer did not have an established limit on the size of the name constraints object. Where the class was in use this lack of a limit could be used to provide the source of a DOS attack.
For an attack to take place the PKIXCertPathReviewer class must be in use by the application under attack and the class must be consuming certificate paths of unknown origin without any form of other validation.
Limiting the size of ASN.1 objects that can be loaded from "the wild" will mitigate the risk of an exploit by automatically putting a cap on the maximum size of a Name Constraints structure that the PKIXCertPathReviewer has to consume.