resolution for high severity CVE-2024-29857 and bc-fips #1635
Comments
benken-parasoft
changed the title
|
We haven't been able to update the CVE entry. Apparently Mitre is having a few issues. That said, we have a patch release called 1.0.2.5 that deals with this, but yes 1.0.2.4 is affected by this. Apologies for the suddenness of the report. You can also work around it by not allowing the import of explicit EC F2m curve parameters. Any further questions, please let me know. PS. If you have a support contract, the jar is available under that. In view of the, erm..., pro-active approach taken by OWASP, I'll speak to the lab about releasing early. I believe everything's been submitted, it's just taking time again, but the jar has not been added to the certificate yet. |
|
Thank you for trying to get this released early! Having early access sounds great for those who can do that. Otherwise, do you have any guess what the turn around looks like for those getting bc-fips from Maven Central? Does "releasing early" mean something might be available in a week or could this be much longer? The current state of things causes quite a bit of difficulty for both developers and end users. As a developer, I could switch my application to use standard bcprov (non-FIPS) because it gets updated more quickly. However, if an end user requires FIPS then perhaps I tell them to swap out the Bouncy Castle jars with the FIPS version? The problem is that this puts the end user in the same predicament, where they need early access or they accept the risk of using a jar with a high severity CVE. Not sure if this is related to version 1.0.2.5 but I also noticed a couple Bouncy Castle entries in the CMVP in-process-list. This is just me guessing if there is some external visibility as to when 1.0.2.5 might be ready for release. |
|
I've just published bc-fips-1.0.2.5 to Maven Central, it should also be appearing on bouncycastle.org shortly. About CVE-2024-29857, we still haven't heard back from Mitre and no formal review has been done that I am aware of. What the CVE will say when it is published is that the vulnerability is only exploitable where:
Where people have followed the rules such as for TLS, of only allowing named parameter sets, this vulnerability does not apply. If you must accept explicit F2m parameters it is also possible to avoid this issue by checking that the m value for the F2m parameter set is less than 1142, currently twice the maximum size in the named F2m parameter sets (naturally you may wish to tweak this if you've defined your own curves, but I guess you'll work that out). To be frank, I'm not really sure I would agree with the way this is currently been described in OWASP, although given the lack of public information available at the time they published, I can see why they would have erred on the side of caution. The only real vector of importation we're aware of is X.509 certificates and it has been a tradition for a while now to not allow explicit parameter sets. Finally, one important note about BC-FJA 1.0.2.5: BC-FJA 1.0.2.5 is not currently certified. However, it has been in the submission process for a while now and if you wish to deploy it early in a FIPS environment and need a letter of attestation it is possible to get one through the BC support program. In addition, the Maven POM lists BC-FJA 1.0.2.5 as being against Certificate #4616 - while we still believe this will be the case, the CMVP have the final say on how they wish to handle this, so the certificate number may wind up being different. |
I believe we are now just waiting on this. OWASP tooling is now flagging bc-fips 1.0.2.5 with the same CVE. |
|
I would strongly recommend getting in touch with the tool vendor. There is nothing published in the NVD about this CVE, the fact they've raised it can only be on the basis of what we published. I would point them at this github issue, the current FIPS release notes at: https://www.bouncycastle.org/fips-java/RELEASE_NOTES.md As well as the source code for the module which is available at: https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.2.5-sources.jar Given how they started flagging this, it would be quite inappropriate for them to be ignoring us as the source of the fix version. While I'd guess your assumption that their internal systems are waiting on the NVD to publish a fix version is correct, if they're willing to override the NVD to publish the CVE ID early, I would expect they will agree that they should also release details of the fix version early when they are available from a credible source, particularly when it's the same place they got the original details from. I don't know how long it will take for everything to be sorted out at Mitre, we've waited 4 weeks for just a CVE allocation at this point. It seems they've really got some problems to deal with. The tool vendor is welcome to get in touch with us if they need any further clarification. |
|
Some progress. Sonatype is no longer flagging 1.0.2.5 as having CVE 2024-29857 on it. See: |
|
Are these the fixes for the CVE (CVE-2024-29857)? |
|
Yes, really just the second one. The CVE has finally been written up at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857 |
|
The https://www.bouncycastle.org/fips-java/RELEASE_NOTES.md link returns 404. |
Both OWASP Dependency-Check and OWASP Dependency-Track have been reporting "CVE-2024-29857" against "bc-fips". They link to detail here:
https://ossindex.sonatype.org/vulnerability/CVE-2024-29857?component-type=maven&component-name=org.bouncycastle%2Fbc-fips
I do see this CVE mentioned in the release notes:
https://www.bouncycastle.org/releasenotes.html
However, I only see an updated release of "bcprov" but not "bc-fips".
The text was updated successfully, but these errors were encountered: