CVSS Score: 7.5 Published: 2024-05-03 Full Report: https://cvereports.com/reports/CVE-2024-34447
A vulnerability in the Bouncy Castle Crypto Package for Java (BCJSSE) permits adversaries to bypass TLS hostname verification. By exploiting a fallback mechanism that evaluates the peer's IP address instead of the intended hostname, an attacker capable of DNS spoofing can conduct Adversary-in-the-Middle (AitM) attacks to intercept encrypted traffic.
Bouncy Castle JSSE < 1.78 incorrectly falls back to IP-based hostname verification when an explicit hostname is not provided during socket initialization. Attackers can leverage DNS spoofing to perform MitM attacks by presenting a valid certificate for the spoofed IP address.
- CWE ID: CWE-295
- Attack Vector: Network
- CVSS Score: 7.5 (High)
- EPSS Score: 0.00227
- Exploit Status: No Public PoC
- KEV Status: Not Listed
- Bouncy Castle Crypto Package (Java)
- Bouncy Castle (LTS)
- Bouncy Castle FIPS TLS (Java)
- Bouncy Castle Crypto Package (Java): < 1.78 (Fixed in:
1.78) - Bouncy Castle (LTS): < 2.73.6 (Fixed in:
2.73.6) - Bouncy Castle FIPS TLS (Java): < 1.0.19 (Fixed in:
1.0.19)
- Upgrade Bouncy Castle Java packages to patched versions
- Explicitly configure socket hostnames using setHost() during custom implementations
- Deploy DNSSEC to prevent malicious DNS resolution redirection
Remediation Steps:
- Identify all projects utilizing Bouncy Castle JSSE dependencies
- Update maven/gradle build files to require bc-java >= 1.78, bc-lts >= 2.73.6, or bc-fips >= 1.0.19
- Review custom HttpsURLConnection or SSLSocketFactory implementations to ensure explicit hostname binding
- Validate that endpoint identification enforces strict FQDN matching via code audits
- GitHub Advisory GHSA-4h8f-2wvx-gg5w
- NVD Entry for CVE-2024-34447
- Bouncy Castle Wiki: CVE-2024-34447
- GitHub Issue #1656 - Discussion on fix validation
Generated by CVEReports - Automated Vulnerability Intelligence