{ "threat_severity" : "Moderate", "public_date" : "2023-11-23T00:00:00Z", "bugzilla" : { "description" : "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", "id" : "2251281", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2251281" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)", "A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack." ], "affected_release" : [ { "product_name" : "Red Hat AMQ Streams 2.7.0", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3527", "cpe" : "cpe:/a:redhat:amq_streams:2" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Under investigation", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Under investigation", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Will not fix", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Will not fix", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "org.bouncycastle/bcpkix-jdk15on", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "org.bouncycastle/bcpkix-jdk15on", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Will not fix", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "log4j:2/log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Will not fix", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_2-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_3-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_4-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_5-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite-capsule:el8/puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Not affected", "package_name" : "apache-sshd", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Will not fix", "package_name" : "bcpkix", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-33202\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-33202\nhttps://github.com/bcgit/bc-java/wiki/CVE-2023-33202" ], "name" : "CVE-2023-33202", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }