CVE-2024-34447
First published: Fri May 03 2024(Updated: )
An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.bouncycastle:bcprov-jdk12 | >=1.61<1.78 | 1.78 |
| maven/org.bouncycastle:bcprov-jdk13 | >=1.61<1.78 | 1.78 |
| maven/org.bouncycastle:bcprov-jdk15to18 | >=1.61<1.78 | 1.78 |
| maven/org.bouncycastle:bcprov-jdk18on | >=1.61<1.78 | 1.78 |
| redhat/BC | <1.78 | 1.78 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
- https://security.netapp.com/advisory/ntap-20240614-0007/
- https://www.bouncycastle.org/latest_releases.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-34447
- https://github.com/bcgit/bc-java/issues/1656
- https://security.netapp.com/advisory/ntap-20240614-0007
- https://github.com/advisories/GHSA-4h8f-2wvx-gg5w (Advisory)
- https://access.redhat.com/errata/RHSA-2024:4271
- https://access.redhat.com/errata/RHSA-2024:4326
- https://bugzilla.redhat.com/show_bug.cgi?id=2279227
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
- agent/type
- agent/first-publish-date
- agent/event
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4h8f-2wvx-gg5w
- alias/CVE-2024-34447
- agent/software-canonical-lookup
- collector/nvd-cve
- collector/github-advisory
- agent/severity
- agent/description
- agent/softwarecombine
- agent/references
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- package-manager/maven
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4