CVE-2024-34447
First published: Fri May 03 2024(Updated: )
An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.bouncycastle:bcprov-jdk12 | >=1.61<1.78 | 1.78 |
| maven/org.bouncycastle:bcprov-jdk13 | >=1.61<1.78 | 1.78 |
| maven/org.bouncycastle:bcprov-jdk15to18 | >=1.61<1.78 | 1.78 |
| maven/org.bouncycastle:bcprov-jdk18on | >=1.61<1.78 | 1.78 |
| redhat/BC | <1.78 | 1.78 |
| IBM Planning Analytics | <=2.1 | |
| IBM Planning Analytics | <=2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
- https://security.netapp.com/advisory/ntap-20240614-0007/
- https://www.bouncycastle.org/latest_releases.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-34447
- https://github.com/bcgit/bc-java/issues/1656
- https://security.netapp.com/advisory/ntap-20240614-0007
- https://github.com/advisories/GHSA-4h8f-2wvx-gg5w (Advisory)
- https://access.redhat.com/errata/RHSA-2024:4271
- https://access.redhat.com/errata/RHSA-2024:4326
- https://bugzilla.redhat.com/show_bug.cgi?id=2279227
- https://www.ibm.com/support/pages/node/7168387 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-34447?
CVE-2024-34447 has a high severity due to potential vulnerabilities in SSL socket communication when hostname verification is inadequate.
How do I fix CVE-2024-34447?
To fix CVE-2024-34447, upgrade to Bouncy Castle version 1.78 or later.
Which versions of Bouncy Castle are affected by CVE-2024-34447?
CVE-2024-34447 affects Bouncy Castle Java Cryptography APIs versions prior to 1.78.
What impact does CVE-2024-34447 have on applications?
CVE-2024-34447 may allow an attacker to perform man-in-the-middle attacks if hostname verification fails.
Is CVE-2024-34447 specific to certain software vendors?
CVE-2024-34447 affects various packages under Bouncy Castle, including those used in IBM Planning Analytics.
- agent/type
- agent/first-publish-date
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/description
- agent/trending
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4h8f-2wvx-gg5w
- alias/CVE-2024-34447
- agent/software-canonical-lookup
- agent/source
- agent/references
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/redhat-bugzilla
- source/Red Hat
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/event
- package-manager/maven
- vendor/ibm
- canonical/ibm planning analytics cloud
- version/ibm planning analytics cloud/2.1
- version/ibm planning analytics cloud/2.0
- package-manager/redhat