Bug 1223926 (CVE-2024-34447)

Summary: VUL-0: CVE-2024-34447: bouncycastle: use of incorrectly-resolved name or reference
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, fstrba, pmonrealgonzalez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/404322/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-34447:6.8:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-06 09:21:47 UTC 
An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References:
https://www.bouncycastle.org/latest_releases.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34447
https://www.cve.org/CVERecord?id=CVE-2024-34447
https://bugzilla.redhat.com/show_bug.cgi?id=2279227
Comment 1 Carlos López 2024-05-06 09:23:52 UTC 
(In reply to SMASH SMASH from comment #0)
> An issue was discovered in Bouncy Castle Java Cryptography APIs before BC
> 1.78.

We have:
- SUSE:SLE-15-SP2:Update/bouncycastle        1.77
- SUSE:ALP:Source:Standard:1.0/bouncycastle  1.77
- openSUSE:Factory/bouncycastle              1.78
Comment 2 Fridrich Strba 2024-05-06 09:46:27 UTC 
Factory now has 1.78.1.
Submission for SLE-15-SP2 is now handled here: https://smelt.suse.de/incident/33611/
Submission for SUSE:ALP:Source:Standard:1.0 is here: https://build.suse.de/request/show/328363
Submission for the new SUSE:SLFO:Main is here: https://build.suse.de/request/show/328845

The backports to SLE-15-SP0 and SLE-12 are under way.
Comment 3 Pedro Monreal Gonzalez 2024-05-21 11:18:25 UTC 
According to the issue [0] mentioned in upstream advisory [1], the first version affected by this CVE is 1.61 and we have:
  * SLE-15-SP0: version 1.58
  * SLE-12:     version 1.46

So, nothing else to be fixed here since a version update for SLE-15-SP2, SUSE:ALP:Source:Standard:1.0 and SUSE:SLFO:Main has been submitted recently by Fridrich.

[0] https://github.com/bcgit/bc-java/issues/1656
[1] https://github.com/bcgit/bc-java/wiki/CVE-2024-34447