CVE-2023-33201 from Bouncy Castle about acme4j HOT 8 CLOSED

Fixed in acme4j 3.1.1.

from acme4j.

Thank you for the report!

acme4j-client is not affected by this CVE, as the X509 certificates from the CA are only passed through. acme4j-smime however is validating certificates and might be affected.

I will update the dependencies and provide a new version soon.

from acme4j.

Great! Thanks for your quick response!

from acme4j.

It turned out it's not possible yet, because of an issue that was introduced in Bouncy Castle 1.74: bcgit/bc-java#1492

Unfortunately 1.74 is also the earliest version that fixes the CVE, so there is no solution until that issue has been fixed upstream.

I will release a new version ASAP after that.

from acme4j.

There is already bouncy castle version 1.76. Is the issue solved with this version?

from acme4j.

No, unfortunately not.

If this is a problem for you, you can force the acme4j dependencies to use bouncy castle 1.76. It should work except for the acme4j-smime module.

from acme4j.

Now that bcgit/bc-java#1492 is fixed, can you upgrade the bouncy castle dependency?

from acme4j.

It seems that BC 1.77 is being rolled out right now, but org.bouncycastle:bcprov-jdk18on:jar:1.77, org.bouncycastle:bcpkix-jdk18on:jar:1.77 and org.bouncycastle:bcpg-jdk18on:jar:1.77 are not available at Maven Central yet.

As soon as the packages are there, I will release a new version with the fix.

EDIT: All packages are there now. I will prepare the release.

from acme4j.