Vulnerability in Bouncy Castle Crypto Package 

Issue date: 13-04-2021
Affects versions: 14.4, 13.4, 12.6

Security Issue ID



Affected Product Version(s)

14.4.0, 12.6.14, 13.4.7 and previous releases.






An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

The brXM product does not use this method directly, but project-specific extensions may rely on this via Apache Tika for password digest operations related to importing password-protected documents as assets.


Customers using the 12.x, 13.x and 14.x major versions are recommended to upgrade to the latest version in that series. The Tika dependency has been updated in 14.5.0, 13.4.8 and 12.6.15.