BC-FIPS 1.0.2.3 Vulnerability and compatible with JAVA 17

[vijimg]

Hi,

We are using java 17 as programming language in our application, and recently found below issue while prisma scan.

An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.

Note : As stated above the issue has been fixed in 1.0.2.4 version so i have added below maven dependency to my pom.xml.

org.bouncycastle bc-fips 1.0.2.4

But still prisma scan result shows above same issue. Can some help me to resolve this issue.

Thanks.

[vijimg]

Can someone help me to resolve the above issue please.

Thanks.

[tateima]

@vijimg We have a similar situation, java 17 application with <groupId>org.bouncycastle</groupId> <artifactId>bc-fips</artifactId> 1.0.2.4

Strange thing was I'm sure it was sure it passed at first. Maybe it's just a false positive in prisma?

[vijimg]

@tateima I am not sure about it. Someone from Bouncy Castle team gives an update, it would be helpful.

[larrywest]

What's the CVE number that Prisma reports?

[tateima]

@larrywest the CVE that I receive, cant speak for @vijimg is https://nvd.nist.gov/vuln/detail/CVE-2022-45146

[dghgit]

The tool is clearly faulty, or it is not scanning the jars you think it is. The CVE does not apply to 1.0.2.4.

[dghgit]

Appears settled.