BDSA-2018-5235 - Update Bouncycastle to fix Cryptographic Issues vulnerability #12411
Labels
area/dependencies
impact/low
kind/cve
Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
kind/task
Milestone
Summary
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Cryptographic Issues via weak key-hash message authentication code (HMAC) that is only 16 bits long which can result in hash collisions, as a result of an error within the BKS version 1 keystore (BKS-V1) files and could lead to an attacker being able to affect the integrity of these files. This vulnerability was introduced following an incomplete fix for CVE-2018-5382.
Version
18.0.0 or higher
Impact
Low. Keycloak does not make use of BKS keystore format and it is not vulnerable to Hash Collision.
Remediation
Upgrade org.bouncycastle:bcprov-jdk15on to version 1.69 or higher.
References
Additional information
Credits
The text was updated successfully, but these errors were encountered: