Vulnerability Description
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
- https://security.netapp.com/advisory/ntap-20240614-0007/
- https://www.bouncycastle.org/latest_releases.html
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
- https://security.netapp.com/advisory/ntap-20240614-0007/
- https://www.bouncycastle.org/latest_releases.html
FAQ
What is CVE-2024-34447?
CVE-2024-34447 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identif...
How severe is CVE-2024-34447?
CVE-2024-34447 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-34447?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.