CVE-2023-33202
Denial of Service (DoS) vulnerability in bcprov-ext-jdk16 (Maven)

Denial of Service (DoS) No known exploit

What is CVE-2023-33202 About?

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within its `PEMParser` class. Parsing a specially crafted ASN.1 data embedded in a PEM encoded stream can cause an `OutOfMemoryError`, leading to a denial of service. This vulnerability enables an attacker to halt the application by providing malicious input.

Affected Software

  • org.bouncycastle:bcprov-ext-jdk16
    • <1.73
  • org.bouncycastle:bcprov-jdk14
    • <1.73
  • org.bouncycastle:bcprov-jdk15
    • <1.73
  • org.bouncycastle:bcprov-jdk15to18
    • <1.73
  • org.bouncycastle:bcprov-jdk16
    • <1.73
  • org.bouncycastle:bcpkix-jdk18on
    • <1.73
  • org.bouncycastle:bcprov-ext-jdk15on
    • <1.73
  • org.bouncycastle:bcprov-jdk18on
    • <1.73

Technical Details

The Bouncy Castle for Java library, specifically its org.bouncycastle.openssl.PEMParser class in versions prior to 1.73, is vulnerable to a Denial of Service (DoS) attack. The PEMParser is designed to parse OpenSSL PEM encoded streams, which can contain various cryptographic objects like X.509 certificates and PKCS8 keys. The vulnerability arises when the parser attempts to process a PEM stream containing specially crafted ASN.1 data. This malformed ASN.1 data can lead to an excessive memory allocation or an infinite loop during parsing, ultimately causing a java.lang.OutOfMemoryError exception. This memory exhaustion results in the application crashing or becoming unresponsive, thus denying service to legitimate users.

What is the Impact of CVE-2023-33202?

Successful exploitation may allow attackers to cause applications to consume excessive memory, leading to an `OutOfMemoryError` and subsequently a denial of service, rendering cryptographic services or dependent applications unavailable.

What is the Exploitability of CVE-2023-33202?

Exploitation of this DoS vulnerability is of low to medium complexity, requiring the attacker to provide a specially crafted PEM encoded stream containing malicious ASN.1 data to an application utilizing the PEMParser. There are no explicit authentication or privilege requirements to trigger the vulnerability, as it typically relies on processing untrusted input cryptographic data. This can be a remote vulnerability if the application accepts PEM data from external, untrusted sources over a network. The primary prerequisite is that the application uses the affected Bouncy Castle library version and processes external PEM files or streams. Risk factors include systems that parse untrusted cryptographic input (e.g., receiving certificates from unknown sources) without sufficient input validation or resource limits.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-33202?

Available Upgrade Options

  • org.bouncycastle:bcprov-jdk14
    • <1.73 → Upgrade to 1.73
  • org.bouncycastle:bcprov-ext-jdk15on
    • <1.73 → Upgrade to 1.73
  • org.bouncycastle:bcprov-jdk15to18
    • <1.73 → Upgrade to 1.73
  • org.bouncycastle:bcpkix-jdk18on
    • <1.73 → Upgrade to 1.73
  • org.bouncycastle:bcprov-jdk15
    • <1.73 → Upgrade to 1.73
  • org.bouncycastle:bcprov-jdk18on
    • <1.73 → Upgrade to 1.73
  • org.bouncycastle:bcprov-jdk16
    • <1.73 → Upgrade to 1.73
  • org.bouncycastle:bcprov-ext-jdk16
    • <1.73 → Upgrade to 1.73

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-33202?

Similar Vulnerabilities: CVE-2023-43642 , CVE-2023-34454 , CVE-2023-30798 , CVE-2022-21448 , CVE-2021-35515

All Rights reserved 2025
Privacy Policy