CVE-2024-29857
Denial of Service vulnerability in bcprov-jdk18on (Maven)

Denial of Service No known exploit

What is CVE-2024-29857 About?

This vulnerability exists in Bouncy Castle Java and C# libraries, where importing an EC certificate with crafted F2m parameters can cause excessive CPU consumption. This leads to a denial of service (DoS) by making the application unresponsive. Exploitation is relatively straightforward for an attacker who can supply malignant certificate parameters.

Affected Software

  • org.bouncycastle:bcprov-jdk18on
    • <1.78
  • org.bouncycastle:bcprov-jdk15on
    • <1.78
  • org.bouncycastle:bcprov-jdk15to18
    • <1.78
  • org.bouncycastle:bcprov-jdk14
    • <1.78
  • org.bouncycastle:bctls-jdk18on
    • <1.78
  • org.bouncycastle:bctls-jdk14
    • <1.78
  • org.bouncycastle:bctls-jdk15to18
    • <1.78
  • org.bouncycastle:bc-fips
    • <1.0.2.5
  • BouncyCastle.Cryptography
    • <2.3.1

Technical Details

The vulnerability resides in the ECCurve.java and ECCurve.cs implementations across multiple Bouncy Castle versions. Specifically, when the library attempts to import an Elliptic Curve (EC) certificate that contains maliciously crafted F2m parameters, the evaluation process of these curve parameters becomes computationally expensive. This leads to an algorithmic complexity issue, causing the CPU to enter a state of high utilization and potentially an infinite loop or prolonged calculation, effectively preventing the application from processing other requests or actions. The ECCurve's internal validation or computation logic for F2m parameters is not resilient to these crafted inputs.

What is the Impact of CVE-2024-29857?

Successful exploitation may allow attackers to consume excessive CPU resources, leading to a denial of service (DoS) for the application or system using the vulnerable Bouncy Castle library.

What is the Exploitability of CVE-2024-29857?

Exploitation of this vulnerability is of moderate complexity. It requires an attacker to craft a specialized EC certificate with malicious F2m parameters and then induce a vulnerable application to import and process this certificate. This typically implies remote access is possible if the application processes untrusted certificates over a network. There are no explicit authentication or privilege requirements beyond the ability to submit a certificate for processing. Special conditions include the application's reliance on the affected Bouncy Castle versions for EC certificate processing. Risk factors include systems that automatically import or validate EC certificates from untrusted or public sources.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-29857?

Available Upgrade Options

  • org.bouncycastle:bcprov-jdk15on
    • <1.78 → Upgrade to 1.78
  • BouncyCastle.Cryptography
    • <2.3.1 → Upgrade to 2.3.1
  • org.bouncycastle:bcprov-jdk15to18
    • <1.78 → Upgrade to 1.78
  • org.bouncycastle:bctls-jdk18on
    • <1.78 → Upgrade to 1.78
  • org.bouncycastle:bcprov-jdk14
    • <1.78 → Upgrade to 1.78
  • org.bouncycastle:bc-fips
    • <1.0.2.5 → Upgrade to 1.0.2.5
  • org.bouncycastle:bctls-jdk14
    • <1.78 → Upgrade to 1.78
  • org.bouncycastle:bctls-jdk15to18
    • <1.78 → Upgrade to 1.78
  • org.bouncycastle:bcprov-jdk18on
    • <1.78 → Upgrade to 1.78

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-29857?

Similar Vulnerabilities: CVE-2023-28840 , CVE-2022-45143 , CVE-2022-21443 , CVE-2021-23646 , CVE-2020-25659

All Rights reserved 2025
Privacy Policy