{ "threat_severity" : "Moderate", "public_date" : "2023-06-16T00:00:00Z", "bugzilla" : { "description" : "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", "id" : "2215465", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2215465" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.", "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user." ], "affected_release" : [ { "product_name" : "AMQ Broker 7.11.5", "release_date" : "2024-01-17T00:00:00Z", "advisory" : "RHSA-2024:0278", "cpe" : "cpe:/a:redhat:amq_broker:7.11", "package" : "bouncycastle" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7669", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-2" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7669", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-operator-bundle:2.4.0-2" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7669", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-2" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7669", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-rhel8:2.4.0-2" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7669", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-3" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7669", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-2" }, { "product_name" : "Red Hat AMQ Streams 2.5.0", "release_date" : "2023-09-14T00:00:00Z", "advisory" : "RHSA-2023:5165", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat AMQ Streams 2.6.0", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7678", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "bouncycastle" }, { "product_name" : "Red Hat AMQ Streams 2.7.0", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3527", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat Fuse 7.12", "release_date" : "2023-06-29T00:00:00Z", "advisory" : "RHSA-2023:3954", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "bouncycastle" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5488", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "bouncycastle" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-10-06T00:00:00Z", "advisory" : "RHSA-2023:5485", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-bouncycastle-0:1.76.0-4.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-10-06T00:00:00Z", "advisory" : "RHSA-2023:5486", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-bouncycastle-0:1.76.0-4.redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5484", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-bouncycastle-0:1.76.0-4.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2023-11-24T00:00:00Z", "advisory" : "RHSA-2023:7488", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6.6", "package" : "bouncycastle" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-11-24T00:00:00Z", "advisory" : "RHSA-2023:7482", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.11-2.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-11-24T00:00:00Z", "advisory" : "RHSA-2023:7483", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.11-2.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-11-24T00:00:00Z", "advisory" : "RHSA-2023:7484", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.11-2.redhat_00001.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-11-24T00:00:00Z", "advisory" : "RHSA-2023:7486", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-36" }, { "product_name" : "RHINT Camel-Springboot 3.18.3.2", "release_date" : "2023-09-13T00:00:00Z", "advisory" : "RHSA-2023:5147", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.18", "package" : "bouncycastle" }, { "product_name" : "RHPAM 7.13.5 async", "release_date" : "2024-03-18T00:00:00Z", "advisory" : "RHSA-2024:1353", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package" : "bouncycastle" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Red Hat A-MQ Online", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:amq_online:1" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Will not fix", "package_name" : "org.bouncycastle/bcprov-jdk15on", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Will not fix", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Out of support scope", "package_name" : "bouncycastle", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-33201\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-33201\nhttps://github.com/bcgit/bc-java/wiki/CVE-2023-33201" ], "name" : "CVE-2023-33201", "csaw" : false }