Spring Boot Starter Vulnerable to CVE-2024-34447

[loffing]

Version 3.2.4 of mq-jms-spring-boot-starter is vulnerable to CVE-2024-34447 due to its transitive dependency on version 1.77 of org.bouncycastle:bcprov-jdk18on.

---

• ibmmq-jms-spring version(s) that are affected by this issue: 3.2.4
• Java version (including vendor and platform)

  openjdk version "17.0.3" 2022-04-19
  OpenJDK Runtime Environment Temurin-17.0.3+7 (build 17.0.3+7)
  OpenJDK 64-Bit Server VM Temurin-17.0.3+7 (build 17.0.3+7, mixed mode, sharing)

• A small code sample that demonstrates the issue

  +- com.ibm.mq:mq-jms-spring-boot-starter:jar:3.2.4:compile
  |  +- com.ibm.mq:com.ibm.mq.jakarta.client:jar:9.3.5.0:compile
  |  |  +- org.bouncycastle:bcprov-jdk18on:jar:1.77:compile
  |  |  +- org.bouncycastle:bcpkix-jdk18on:jar:1.77:compile
  |  |  +- org.bouncycastle:bcutil-jdk18on:jar:1.77:compile
  |  |  +- jakarta.jms:jakarta.jms-api:jar:3.1.0:compile
  |  |  \- org.json:json:jar:20231013:compile

[ibmmqmet]

If there is a vulnerability in the MQ client code (not this package), it will be reported via an IBM security bulletin.

So far, no version of the MQ client has been released with a later dependency level of the bouncy castle jars. (Version 9.3.5.1 didn't change those dependencies.) If and when a new MQ level comes out that uses the newer BC files, then it will get referenced through an update in this module. But right now, there's nothing that can be done here.

[loffing]

This vulnerability no longer exists in version 3.3.0 of mq-jms-spring-boot-starter.