bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard

Published 20 hours ago verified publisher icon bcgit

bcpkix-jdk15on vulnerability for CVE-2022-21449

Open prashil-g opened this issue 3 years ago • 1 comments

I used https://github.com/jfrog/jfrog-CVE-2022-21449 to check for our microservice and found that bcpkix-jdk15on might be vulnerable. Can you please confirm which version should we upgrade to if available for this CVE?

In build/libs/<microservice>.jar/BOOT-INF/lib/bcpkix-jdk15on-1.70.jar/org/bouncycastle/eac/operator/jcajce/EACHelper.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcpkix-jdk15on-1.70.jar/org/bouncycastle/eac/operator/jcajce/JcaEACSignerBuilder.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcpkix-jdk15on-1.70.jar/org/bouncycastle/its/jcajce/JcaITSContentSigner.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcpkix-jdk15on-1.70.jar/org/bouncycastle/its/jcajce/JcaITSContentVerifierProvider.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/jjwt-0.9.1.jar/io/jsonwebtoken/SignatureAlgorithm.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcprov-jdk15on-1.70.jar/org/bouncycastle/jcajce/BCFKSLoadStoreParameter$Builder.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcprov-jdk15on-1.70.jar/org/bouncycastle/jcajce/BCFKSLoadStoreParameter$SignatureAlgorithm.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcprov-jdk15on-1.70.jar/org/bouncycastle/jcajce/provider/asymmetric/EC$Mappings.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcprov-jdk15on-1.70.jar/org/bouncycastle/jcajce/provider/asymmetric/x509/X509SignatureUtil.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcprov-jdk15on-1.70.jar/org/bouncycastle/jcajce/provider/keystore/bcfks/BcFKSKeyStoreSpi.class: potential use of ECDSA - may be vulnerable In build/libs/<microservice>.jar/BOOT-INF/lib/bcprov-jdk15on-1.70.jar/org/bouncycastle/jce/provider/X509SignatureUtil.class: potential use of ECDSA - may be vulnerable

prashil-g avatar Apr 22 '22 05:04 prashil-g

bcpkix uses "ECDSA" from other installed cryptographic providers. It is the implementation of ECDSA within the JDK/JRE class libraries that is vulnerable (specifically the SunEC provider).

You should just update to the appropriate JDK/JRE update. Technically you should not be vulnerable anyway if you are using the BC provider, either explicitly via the API or by default with the BC provider installed at higher priority than SunEC. However provider configurations are somewhat error-prone so I would not risk having the broken ECDSA implementation around.

peterdettman avatar Apr 22 '22 06:04 peterdettman

Closing as now resolved.

dghgit avatar Nov 20 '22 21:11 dghgit