emlun
commented
2 years ago Hi!
No, you still need to investigate if your application is vulnerable, and you should patch your JRE either way.
The vulnerability is not in this library itself, but rather in the underlying Java platform, and unfortunately you cannot assume that downstream applications are not vulnerable just because BouncyCastle is one of the dependencies. Versions before 1.8.0 did explicitly use the BouncyCastle provider, but 1.8.0 and later only load the BouncyCastle provider but no longer specify a preference for it. Release 2.0.0 will go further and completely drop the BouncyCastle dependency.
We're not planning to add any code to the library to work around the issue, but we've added a notice about it in the 1.12.4 GitHub release and will add the same notice to the project README.
Hi folks,
Wanted to file an issue to see if this codebase was vulnerable to CVE-2022-21449.
https://nvd.nist.gov/vuln/detail/CVE-2022-21449
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
This seems to indicate that BouncyCastle is not affected: https://neilmadden.blog/2022/04/25/a-few-clarifications-about-cve-2022-21449/
and from looking through the build.gradle, it seems like BouncyCastle is the crypto library used here, but I just wanted to file this issue to check.