Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BDSA-2018-5235 - Update Bouncycastle to fix Cryptographic Issues vulnerability #12411

Closed
abstractj opened this issue Jun 8, 2022 · 4 comments
Closed

BDSA-2018-5235 - Update Bouncycastle to fix Cryptographic Issues vulnerability #12411

abstractj opened this issue Jun 8, 2022 · 4 comments
Assignees
@abstractj
Labels
area/dependencies impact/low kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected kind/task
Milestone
21.0.0

Comments

@abstractj
Copy link
Contributor

abstractj commented Jun 8, 2022
edited

Summary

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Cryptographic Issues via weak key-hash message authentication code (HMAC) that is only 16 bits long which can result in hash collisions, as a result of an error within the BKS version 1 keystore (BKS-V1) files and could lead to an attacker being able to affect the integrity of these files. This vulnerability was introduced following an incomplete fix for CVE-2018-5382.

Version

18.0.0 or higher

Impact

Low. Keycloak does not make use of BKS keystore format and it is not vulnerable to Hash Collision.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.69 or higher.

References

Additional information

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.keycloak:keycloak-quarkus-server-app@999-SNAPSHOT, org.keycloak:keycloak-quarkus-server@999-SNAPSHOT and others

Credits
@abstractj abstractj added this to the 18.0.1 milestone Jun 8, 2022
@abstractj abstractj self-assigned this Jun 8, 2022
@abstractj abstractj mentioned this issue Jun 8, 2022
Closed
@stianst stianst modified the milestones: 18.0.1, 19.0.0 Jun 17, 2022
@abstractj abstractj changed the title Update Bouncycastle to fix Cryptographic Issues vulnerability BDSA-2018-5235 Update Bouncycastle to fix Cryptographic Issues vulnerability Jun 20, 2022
@abstractj abstractj changed the title BDSA-2018-5235 Update Bouncycastle to fix Cryptographic Issues vulnerability BDSA-2018-5235 - Update Bouncycastle to fix Cryptographic Issues vulnerability Jun 20, 2022
@stianst stianst modified the milestones: 19.0.0, 20.0.0 Jul 26, 2022
@abstractj
Copy link
Contributor Author

PR related #14198

@abstractj abstractj added kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected kind/weakness Issues identified as a security hardening issue that we can improve into the code and removed kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected kind/weakness Issues identified as a security hardening issue that we can improve into the code labels Oct 19, 2022
@abstractj abstractj removed this from the 20.0.0 milestone Oct 21, 2022
@abstractj abstractj mentioned this issue Oct 26, 2022
Closed
@vmuzikar
Copy link
Contributor

vmuzikar commented Nov 7, 2022

@abstractj Can you please confirm that this is fixed by #14198 and therefore should be ported to 20.0.1?

@abstractj
Copy link
Contributor Author

@vmuzikar fixed on #14148. We can close it, and if possible backport.

@vmuzikar
Copy link
Contributor

vmuzikar commented Nov 7, 2022

@abstractj Thanks for the confirmation. Backport is done here: #15379

@stianst stianst added this to the 21.0.0 milestone Feb 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abstractj abstractj

Labels
area/dependencies impact/low kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected kind/task
Projects
None yet
Milestone
21.0.0
Development

Successfully merging a pull request may close this issue.

Update Bouncycastle to fix Cryptographic Issues vulnerability
3 participants
@abstractj @stianst @vmuzikar