bcgit / bc-java

Bouncy Castle Java Distribution (Mirror)
https://www.bouncycastle.org/java.html
MIT License
2.32k stars 1.14k forks source link

resolution for high severity CVE-2024-29857 and bc-fips #1635

Open benken-parasoft opened 7 months ago

benken-parasoft commented 7 months ago

Both OWASP Dependency-Check and OWASP Dependency-Track have been reporting "CVE-2024-29857" against "bc-fips". They link to detail here: https://ossindex.sonatype.org/vulnerability/CVE-2024-29857?component-type=maven&component-name=org.bouncycastle%2Fbc-fips

I do see this CVE mentioned in the release notes: https://www.bouncycastle.org/releasenotes.html

However, I only see an updated release of "bcprov" but not "bc-fips".

dghgit commented 7 months ago

We haven't been able to update the CVE entry. Apparently Mitre is having a few issues. That said, we have a patch release called 1.0.2.5 that deals with this, but yes 1.0.2.4 is affected by this. Apologies for the suddenness of the report.

You can also work around it by not allowing the import of explicit EC F2m curve parameters.

Any further questions, please let me know.

PS. If you have a support contract, the jar is available under that. In view of the, erm..., pro-active approach taken by OWASP, I'll speak to the lab about releasing early. I believe everything's been submitted, it's just taking time again, but the jar has not been added to the certificate yet.

benken-parasoft commented 6 months ago

Thank you for trying to get this released early! Having early access sounds great for those who can do that. Otherwise, do you have any guess what the turn around looks like for those getting bc-fips from Maven Central? Does "releasing early" mean something might be available in a week or could this be much longer?

The current state of things causes quite a bit of difficulty for both developers and end users. As a developer, I could switch my application to use standard bcprov (non-FIPS) because it gets updated more quickly. However, if an end user requires FIPS then perhaps I tell them to swap out the Bouncy Castle jars with the FIPS version? The problem is that this puts the end user in the same predicament, where they need early access or they accept the risk of using a jar with a high severity CVE.

Not sure if this is related to version 1.0.2.5 but I also noticed a couple Bouncy Castle entries in the CMVP in-process-list. This is just me guessing if there is some external visibility as to when 1.0.2.5 might be ready for release.

dghgit commented 6 months ago

I've just published bc-fips-1.0.2.5 to Maven Central, it should also be appearing on bouncycastle.org shortly.

About CVE-2024-29857, we still haven't heard back from Mitre and no formal review has been done that I am aware of. What the CVE will say when it is published is that the vulnerability is only exploitable where:

Where people have followed the rules such as for TLS, of only allowing named parameter sets, this vulnerability does not apply.

If you must accept explicit F2m parameters it is also possible to avoid this issue by checking that the m value for the F2m parameter set is less than 1142, currently twice the maximum size in the named F2m parameter sets (naturally you may wish to tweak this if you've defined your own curves, but I guess you'll work that out).

To be frank, I'm not really sure I would agree with the way this is currently been described in OWASP, although given the lack of public information available at the time they published, I can see why they would have erred on the side of caution. The only real vector of importation we're aware of is X.509 certificates and it has been a tradition for a while now to not allow explicit parameter sets.

Finally, one important note about BC-FJA 1.0.2.5: BC-FJA 1.0.2.5 is not currently certified. However, it has been in the submission process for a while now and if you wish to deploy it early in a FIPS environment and need a letter of attestation it is possible to get one through the BC support program. In addition, the Maven POM lists BC-FJA 1.0.2.5 as being against Certificate #4616 - while we still believe this will be the case, the CMVP have the final say on how they wish to handle this, so the certificate number may wind up being different.

benken-parasoft commented 6 months ago

we still haven't heard back from Mitre

I believe we are now just waiting on this. OWASP tooling is now flagging bc-fips 1.0.2.5 with the same CVE.

dghgit commented 6 months ago

I would strongly recommend getting in touch with the tool vendor.

There is nothing published in the NVD about this CVE, the fact they've raised it can only be on the basis of what we published.

I would point them at this github issue, the current FIPS release notes at:

https://downloads.bouncycastle.org/fips-java/docs/RELEASE_NOTES.md

As well as the source code for the module which is available at:

https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.2.5-sources.jar https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5-sources.jar

Given how they started flagging this, it would be quite inappropriate for them to be ignoring us as the source of the fix version. While I'd guess your assumption that their internal systems are waiting on the NVD to publish a fix version is correct, if they're willing to override the NVD to publish the CVE ID early, I would expect they will agree that they should also release details of the fix version early when they are available from a credible source, particularly when it's the same place they got the original details from.

I don't know how long it will take for everything to be sorted out at Mitre, we've waited 4 weeks for just a CVE allocation at this point. It seems they've really got some problems to deal with.

The tool vendor is welcome to get in touch with us if they need any further clarification.

dghgit commented 6 months ago

Some progress. Sonatype is no longer flagging 1.0.2.5 as having CVE 2024-29857 on it. See:

https://ossindex.sonatype.org/component/pkg:maven/org.bouncycastle/bc-fips@1.0.2.5?utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0

samueloph commented 6 months ago

Are these the fixes for the CVE (CVE-2024-29857)? first commit: https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a294501f second commit: https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281

dghgit commented 6 months ago

Yes, really just the second one. The CVE has finally been written up at https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857

wilx commented 6 months ago

The https://www.bouncycastle.org/fips-java/RELEASE_NOTES.md link returns 404.

stolyarchukav commented 2 months ago

@dghgit Do we have any news about the certification of 1.0.2.5? We can see the old certificate is deprecated (https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4616) and 2.0.0 is the only valid one (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4743) Does it mean we do not have another option than moving to 2.0.0?

dghgit commented 2 months ago

If you're using Java 8 or later, you need to move to 2.0.0. Unfortunately the move to the historical list of 1.0.2.4 means 1.0.2.5 is no longer viable.