rogermb
commented
3 months ago Hi @qeinz
Both of these CVEs are in the version of bouncycastle that sshj pulls in, but it looks like there's not much to worry about here:
-
CVE-2023-33201:
[...] The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. [...]
We don't use anything related to LDAP, so we're not affected here.
-
CVE-2023-33202:
This CVE states that it's possible to cause an OutOfMemoryError if you parse a specially-crafted certificate. So it's not even a real security vulnerability, just a possible denial-of-service, and that would only be possible if you're connecting to untrusted TeamSpeak servers using SSH, which you're probably not doing anyway.
I think it's okay to ignore these 2 CVEs for now. I do want to update sshj to a newer version and release a new version of the TS3 API some time soon, but it looks like the current version of sshj, 0.38.0, still uses a version of bouncycastle that has some CVEs in it. Thus, I think it's better if we wait for 0.39.0 to be released, which should ship with clean bouncycastle dependencies 😄
(And yes, I do know that I could just version-manage the bouncycastle dependencies, but I really don't want to bother if there's no real reason for it)
qeinz
any fixes?