Improper Authentication Affecting org.bouncycastle:bc-fips package, versions [,1.0.2.4)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGBOUNCYCASTLE-3136316
- published 21 Nov 2022
- disclosed 21 Nov 2022
- credit Jakub Trávník
Introduced: 21 Nov 2022
CVE-2022-45146 Open this link in a new tabHow to fix?
Upgrade org.bouncycastle:bc-fips to version 1.0.2.4 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authentication. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules, where it is possible for temporary keys used by the module to be zeroed out while still in use by the module.
Notes:
FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
The assessed High Impact on both Confidentiality and Integrity is due to the encryption, decryption, and authentication failure, that could lead to the internal keys in the FIPS module to be improperly encrypted or at times corrupted.
The issue can be exploited when the JVM is stressed for memory. As the vulnerability requires harder to achieve means of exploitation, we marked the Attack Complexity with High.
There is no clear specification that the attacker needs to have local access.