CGA-xf7g-2h39-r54g
DNS Poisoning vulnerability in bcprov-jdk18on (Maven)
What is CGA-xf7g-2h39-r54g About?
This vulnerability in the Bouncy Castle Crypto Package For Java allows for DNS poisoning when endpoint identification is enabled in BCJSSE and an SSL socket is created without an explicit hostname. This can lead to hostname verification against a potentially spoofed DNS-resolved IP address. Exploiting this likely requires an attacker to control DNS responses.
Affected Software
- org.bouncycastle:bcprov-jdk18on
- >1.61, <1.78
- org.bouncycastle:bcprov-jdk15to18
- >1.61, <1.78
- org.bouncycastle:bcprov-jdk14
- >1.61, <1.78
- org.bouncycastle:bcprov-jdk12
- >1.61, <1.78
- org.bouncycastle:bctls-fips
- <1.0.19
- org.bouncycastle:bcprov-lts8on
- <2.73.6
Technical Details
The vulnerability exists in the Bouncy Castle Crypto Package For Java (before BC TLS Java 1.0.19 / BC Java 1.78 / BC Java (LTS) 2.73.6). When the BCJSSE (Bouncy Castle JSSE) library is configured with endpoint identification enabled, and an SSL socket is established without explicitly providing a hostname (e.g., via HttpsURLConnection), a weakness can occur. In certain scenarios, hostname verification may be performed against a DNS-resolved IP address rather than the intended hostname. An attacker performing DNS poisoning could manipulate DNS responses to direct the connection to a malicious IP address, then present a valid certificate for the original hostname. Because the verification was incorrectly based on the (spoofed) IP, the connection could be deemed secure, leading to a Man-in-the-Middle attack.
What is the Impact of CGA-xf7g-2h39-r54g?
Successful exploitation may allow attackers to perform DNS poisoning, leading to man-in-the-middle attacks, unauthorized interception or manipulation of sensitive communications, and impersonation of legitimate services.
What is the Exploitability of CGA-xf7g-2h39-r54g?
Exploitation of this vulnerability is of moderate to high complexity. It requires an attacker to be in a position to perform DNS poisoning, meaning they must be able to intercept or alter DNS responses, typically through control of a local network, a rogue DNS server, or by exploiting other DNS weaknesses. No authentication to the target application is directly required for the DNS poisoning itself, but the application must be using affected versions of Bouncy Castle and making SSL connections without explicitly specifying hostnames for verification. This is a remote exploitation scenario. The critical special condition is the ability to spoof DNS responses and the specific configuration of the BCJSSE client. The likelihood of exploitation increases in environments with weaker DNS security or where applications frequently establish SSL connections to IP addresses without explicit hostname validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-xf7g-2h39-r54g?
Available Upgrade Options
- org.bouncycastle:bcprov-lts8on
- <2.73.6 → Upgrade to 2.73.6
- org.bouncycastle:bctls-fips
- <1.0.19 → Upgrade to 1.0.19
- org.bouncycastle:bcprov-jdk14
- >1.61, <1.78 → Upgrade to 1.78
- org.bouncycastle:bcprov-jdk18on
- >1.61, <1.78 → Upgrade to 1.78
- org.bouncycastle:bcprov-jdk15to18
- >1.61, <1.78 → Upgrade to 1.78
- org.bouncycastle:bcprov-jdk12
- >1.61, <1.78 → Upgrade to 1.78
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-4h8f-2wvx-gg5w
- https://www.bouncycastle.org/latest_releases.html
- https://security.netapp.com/advisory/ntap-20240614-0007/
- https://github.com/bcgit/bc-java
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
- https://nvd.nist.gov/vuln/detail/CVE-2024-34447
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
- https://security.netapp.com/advisory/ntap-20240614-0007
- https://github.com/bcgit/bc-java/issues/1656
- https://www.bouncycastle.org/latest_releases.html
What are Similar Vulnerabilities to CGA-xf7g-2h39-r54g?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-38144 , CVE-2021-36190 , CVE-2018-1000635 , CVE-2017-1000381
