Bugzilla – Bug 1212508
VUL-0: CVE-2023-33201: bouncycastle: potential blind LDAP injection attack using a self-signed certificate
Last modified: 2023-09-25 12:25:39 UTC
CVE-2023-33201 Issue affecting: BC 1.73 and earlier. Fixed versions: BC 1.74 Platform affected: Java 4 and later. Bouncy Castle provides the X509LDAPCertStoreSpi.java class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure. A potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: CN=Subject*)(objectclass=. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user. Changes to the X509LDAPCertStoreSpi.java class add the additional checking of any X.500 name used to correctly escape wild card characters. https://github.com/bcgit/bc-java/wiki/CVE-2023-33201 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33201 https://bugzilla.redhat.com/show_bug.cgi?id=2215465
Affected: - SUSE:ALP:Source:Standard:1.0/bouncycastle 1.73 - SUSE:SLE-15-SP2:Update/bouncycastle 1.73 - openSUSE:Factory/bouncycastle 1.73 (please not that the ALP codestream currently needs a regular submission, and not a maintenance submission)
The new bouncycastle update to version 1.74 in Factory now requires a new dependency on unboundid-ldapsdk but its not packaged in Factory. I have tried to package it in here: https://build.opensuse.org/package/show/home:pmonrealgonzalez/unboundid-ldapsdk With this new package, bouncycastle 1.74 builds fine now. I'm adding Fridrich in CC to have a look at the new package and advise if it needs some modifications. TIA
(In reply to Pedro Monreal Gonzalez from comment #2) > The new bouncycastle update to version 1.74 in Factory now requires a new > dependency on unboundid-ldapsdk but its not packaged in Factory. I have > tried to package it in here: > > https://build.opensuse.org/package/show/home:pmonrealgonzalez/unboundid- > ldapsdk > > With this new package, bouncycastle 1.74 builds fine now. > > I'm adding Fridrich in CC to have a look at the new package and advise if it > needs some modifications. TIA I have just submitted the new unboundid-ldapsdk package to Java:packages here: * https://build.opensuse.org/request/show/1094136
(In reply to Pedro Monreal Gonzalez from comment #3) > I have just submitted the new unboundid-ldapsdk package to Java:packages > here: > * https://build.opensuse.org/request/show/1094136 Now, I was slow in answering because I wanted to be sure about what that new dependency is all about. It is needed only for the bctest artifact that we do not distribute, although we were building it as a by-product. I made a patch in Bouncycastle to not build it and suddenly the dependency is not needed. I will push to the Java:packages the upgrade but without any changelog for the while. It is possible that it will conflict with whatever you have. I promise to fix any problem that could arise.
This is an autogenerated message for OBS integration: This bug (1212508) was mentioned in https://build.opensuse.org/request/show/1094156 Factory / bouncycastle
This is an autogenerated message for OBS integration: This bug (1212508) was mentioned in https://build.opensuse.org/request/show/1094295 Factory / bouncycastle
Fridrich, many thanks for that! As Fridrich explained in the new package submission, bouncycastle is in Ring1 so adding new dependencies just for some tests can be problematic. I have submitted to ALP in here: * https://build.suse.de/request/show/301816
SUSE-SU-2023:2843-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1212508 CVE References: CVE-2023-33201 Sources used: openSUSE Leap 15.4 (src): bouncycastle-1.74-150200.3.21.1 openSUSE Leap 15.5 (src): bouncycastle-1.74-150200.3.21.1 Development Tools Module 15-SP4 (src): bouncycastle-1.74-150200.3.21.1 Development Tools Module 15-SP5 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise Real Time 15 SP3 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): bouncycastle-1.74-150200.3.21.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): bouncycastle-1.74-150200.3.21.1 SUSE Enterprise Storage 7.1 (src): bouncycastle-1.74-150200.3.21.1 SUSE Enterprise Storage 7 (src): bouncycastle-1.74-150200.3.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing