What is the severity of CVE-2024-29857?

CVE-2024-29857 is classified as a security vulnerability that can lead to excessive CPU consumption.

How do I fix CVE-2024-29857?

To fix CVE-2024-29857, upgrade Bouncy Castle Java to version 1.78 or later, or for .NET versions, upgrade to BouncyCastle.Cryptography version 2.3.1 or later.

Which versions of Bouncy Castle are affected by CVE-2024-29857?

CVE-2024-29857 affects Bouncy Castle Java before version 1.78, BC-FJA before version 1.0.2.5, and Bouncy Castle C# .Net before version 2.3.1.

What products are impacted by CVE-2024-29857?

CVE-2024-29857 impacts Bouncy Castle libraries in several frameworks including Java, .NET, and specific IBM products like Security Verify Governance.

Is there a workaround for CVE-2024-29857?

There is no documented workaround for CVE-2024-29857; upgrading to the latest versions is the recommended action.

Vulnerability/
CVE-2024-29857

high

7.5

CWE

400 20 125

1/1/1970

14/5/2024

26/2/2025

CVE-2024-29857: Input Validation

First published: Tue May 14 2024(Updated: )

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/BC Java	<1.78	1.78
nuget/BouncyCastle.Cryptography	<2.3.1	2.3.1
nuget/BouncyCastle	<2.3.1
maven/org.bouncycastle:bc-fips	<1.0.2.5	1.0.2.5
maven/org.bouncycastle:bctls-jdk15to18	<1.78	1.78
maven/org.bouncycastle:bctls-jdk14	<1.78	1.78
maven/org.bouncycastle:bctls-jdk18on	<1.78	1.78
maven/org.bouncycastle:bcprov-jdk14	<1.78	1.78
maven/org.bouncycastle:bcprov-jdk15to18	<1.78	1.78
maven/org.bouncycastle:bcprov-jdk15on	<1.78	1.78
maven/org.bouncycastle:bcprov-jdk18on	<1.78	1.78

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7182403

Frequently Asked Questions

What is the severity of CVE-2024-29857?
CVE-2024-29857 is classified as a security vulnerability that can lead to excessive CPU consumption.
How do I fix CVE-2024-29857?
To fix CVE-2024-29857, upgrade Bouncy Castle Java to version 1.78 or later, or for .NET versions, upgrade to BouncyCastle.Cryptography version 2.3.1 or later.
Which versions of Bouncy Castle are affected by CVE-2024-29857?
CVE-2024-29857 affects Bouncy Castle Java before version 1.78, BC-FJA before version 1.0.2.5, and Bouncy Castle C# .Net before version 2.3.1.
What products are impacted by CVE-2024-29857?
CVE-2024-29857 impacts Bouncy Castle libraries in several frameworks including Java, .NET, and specific IBM products like Security Verify Governance.
Is there a workaround for CVE-2024-29857?
There is no documented workaround for CVE-2024-29857; upgrading to the latest versions is the recommended action.

agent/type
agent/first-publish-date
agent/author
agent/description
agent/weakness
agent/severity
collector/mitre-cve
source/MITRE
collector/github-advisory-latest
source/GitHub
alias/GHSA-8xfc-gm6g-vgpv
alias/CVE-2024-29857
agent/software-canonical-lookup
collector/nvd-api
source/NVD
collector/nvd-cve
collector/github-advisory
agent/trending
agent/source
collector/ibm-support
source/IBM
agent/references
agent/last-modified-date
agent/softwarecombine
agent/tags
agent/event
collector/redhat-bugzilla
source/Red Hat
package-manager/nuget
package-manager/maven
package-manager/redhat