CGA-9v29-fwrv-3vmr
Information Disclosure vulnerability in bcprov-jdk18on (Maven)
What is CGA-9v29-fwrv-3vmr About?
Bouncy Castle's `X509LDAPCertStoreSpi.java` class, prior to version 1.73, is vulnerable to information disclosure due to a lack of LDAP wildcard checking. This allows attackers to craft self-signed certificates to perform blind LDAP injection attacks. The ease of exploitation depends on the target LDAP directory and error reporting, potentially revealing sensitive directory information.
Affected Software
- org.bouncycastle:bcprov-jdk18on
- <1.74
- org.bouncycastle:bcprov-jdk15to18
- <1.74
- org.bouncycastle:bcprov-jdk14
- >1.49, <1.74
- org.bouncycastle:bcprov-ext-jdk14
- >1.49, <1.74
- org.bouncycastle:bcprov-ext-jdk15to18
- <1.74
- org.bouncycastle:bcprov-ext-jdk18on
- <1.74
- org.bouncycastle:bcprov-debug-jdk14
- >1.49, <1.74
- org.bouncycastle:bcprov-debug-jdk15to18
- <1.74
- org.bouncycastle:bcprov-debug-jdk18on
- <1.74
- org.bouncycastle:bcprov-jdk15on
- >1.49, <=1.70
- org.bouncycastle:bcprov-ext-jdk15on
- >1.49, <=1.70
- org.bouncycastle:bcprov-debug-jdk15on
- >1.49, <=1.70
Technical Details
The X509LDAPCertStoreSpi.java class in Bouncy Castle, used for validating certificate paths via the CertPath API, did not perform proper checks for LDAP wildcard characters in the X.500 name components (subject or issuer) of certificates before version 1.73. An attacker can generate a self-signed certificate with a maliciously crafted subject name, such as CN=Subject*)(objectclass=. When this certificate is processed and its subject name is used to construct an LDAP filter (e.g., to search an LDAP directory for certificate attributes), the injected characters manipulate the LDAP search query. This enables blind LDAP injection, where an attacker can determine the existence of attributes or their values by observing boolean outcomes (e.g., whether an error occurs or a connection is successful), allowing enumeration of LDAP directory contents.
What is the Impact of CGA-9v29-fwrv-3vmr?
Successful exploitation may allow attackers to disclose sensitive information from the LDAP directory through blind LDAP injection, potentially revealing directory structure or user attributes.
What is the Exploitability of CGA-9v29-fwrv-3vmr?
Exploitation of this Information Disclosure vulnerability can be complex, as it relies on the attacker being able to supply a specially crafted self-signed certificate that is then processed by a vulnerable application using Bouncy Castle's X509LDAPCertStoreSpi.java. While no authentication is explicitly required to create the malicious certificate, the certificate must be accepted and processed by a vulnerable system. No special privileges are mentioned beyond what is required to submit or introduce the crafted certificate into the system's certificate path validation process. This can be a remote attack if the certificate validation happens during an online interaction (e.g., TLS handshake with client certificates) or local if it involves processing a certificate file. The success of the blind LDAP injection depends heavily on the specific structure of the target LDAP directory and whether the application provides observable differences in behavior or error messages that can be leveraged for boolean-based data exfiltration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-9v29-fwrv-3vmr?
Available Upgrade Options
- org.bouncycastle:bcprov-debug-jdk15to18
- <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-jdk18on
- <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-debug-jdk18on
- <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-ext-jdk14
- >1.49, <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-ext-jdk18on
- <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-jdk14
- >1.49, <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-debug-jdk14
- >1.49, <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-jdk15to18
- <1.74 → Upgrade to 1.74
- org.bouncycastle:bcprov-ext-jdk15to18
- <1.74 → Upgrade to 1.74
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
- https://github.com/bcgit/bc-java/commits/main/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java
- https://github.com/bcgit/bc-java
- https://bouncycastle.org
- https://osv.dev/vulnerability/GHSA-hr8g-6v94-x4m9
- https://bouncycastle.org/releasenotes.html#r1rv74
- https://security.netapp.com/advisory/ntap-20230824-0008
- https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html
- https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc
- https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc
What are Similar Vulnerabilities to CGA-9v29-fwrv-3vmr?
Similar Vulnerabilities: CVE-2022-29969 , CVE-2021-44228 , CVE-2021-39230 , CVE-2020-9484 , CVE-2023-28952
