CVE-2024-30171

Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")

Description

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

5.8

Score Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Versions

org.bouncycastle:bctls-fips < 1.0.19; org.bouncycastle:bcprov-jdk18on < 1.78; org.bouncycastle:bcprov-jdk15on < 1.78; org.bouncycastle:bcprov-jdk15to18 < 1.78; org.bouncycastle:bcprov-jdk14 < 1.78; org.bouncycastle:bctls-jdk18on < 1.78; org.bouncycastle:bctls-jdk14 < 1.78; org.bouncycastle:bctls-jdk15to18 < 1.78; BouncyCastle.Cryptography < 2.3.1

Severity

Medium

Ecosystem

Java

Publish Date

May 14, 2024

Modified Date

October 22, 2024