Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-29857
CVE-2024-29857:
Java vulnerability analysis and mitigation
Overview
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. The vulnerability is tracked as CVE-2024-29857 and was disclosed in May 2024. The issue affects all Java Virtual Machines (JVMs) and Common Language Runtimes (CLRs) that use the affected versions of Bouncy Castle (BC Java Wiki, BC CSharp Wiki).
Technical details
The vulnerability stems from the lack of a maximum bounds check in the F2m curve constructor. When processing an X509 certificate with crafted F2m parameters, this can lead to excessive CPU consumption during the evaluation of the curve parameters. The issue specifically affects applications that allow the importation of F2m curves with arbitrary parameter sets or allow the importation of arbitrary code that might invoke the problem constructor on F2m (BC Java Wiki). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Atlassian Security).
Impact
Successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition through excessive CPU consumption when processing specially crafted certificates. The vulnerability primarily affects the availability of systems processing F2m curve parameters (NetApp Security).
Mitigation and workarounds
For applications that must accept explicit F2m parameters, it is possible to avoid this issue by checking that the m value for the F2m parameter set is less than 1142, which is currently twice the maximum size in the named F2m parameter sets. The permanent fix has been implemented in BC Java 1.78, BC Java LTS 2.73.6, BC-FJA 1.0.2.5, and BC C# .NET 2.3.1. Organizations are advised to upgrade to these or later versions (BC Java Wiki).
Community reactions
Multiple major organizations have acknowledged and responded to this vulnerability. Red Hat has included fixes in their security updates for JBoss Enterprise Application Platform and Apache Camel for Spring Boot (Red Hat Advisory). Atlassian has addressed the vulnerability in their September 2024 Security Bulletin for various products (Atlassian Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management