Vulnerability in Bouncy Castle Crypto Package

Issue date: 13-04-2021
Affects versions: 14.4, 13.4, 12.6

Security Issue ID

SECURITY-209

Affected Product Version(s)

14.4.0, 12.6.14, 13.4.7 and previous releases.

Severity

low

Description

CVE-2020-28052

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

The brXM product does not use this method directly, but project-specific extensions may rely on this via Apache Tika for password digest operations related to importing password-protected documents as assets.

Instructions

Customers using the 12.x, 13.x and 14.x major versions are recommended to upgrade to the latest version in that series. The Tika dependency has been updated in 14.5.0, 13.4.8 and 12.6.15.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Vulnerability in Bouncy Castle Crypto Package