Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OG04LXY4OWotN2oycM4AAv98
Garbage collection issue in BC-FJA in Java 13 and later
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss.
NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
Permalink: https://github.com/advisories/GHSA-68m8-v89j-7j2pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OG04LXY4OWotN2oycM4AAv98
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 11 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-68m8-v89j-7j2p, CVE-2022-45146
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-45146
- https://github.com/bcgit/bc-java/wiki/CVE-2022-45146
- https://www.bouncycastle.org/latest_releases.html
- https://mvnrepository.com/artifact/org.bouncycastle/bc-fips
- https://github.com/advisories/GHSA-68m8-v89j-7j2p
Blast Radius: 15.1
Affected Packages
maven:org.bouncycastle:bc-fips
Dependent packages: 50Dependent repositories: 550
Downloads:
Affected Version Ranges: < 1.0.2.4
Fixed in: 1.0.2.4
All affected versions:
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 2.0.0