org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class

🗓️ 08 Aug 2024 17:22:53Reported by RedHatType

redhat

redhat🔗 access.redhat.com

Infinite loop in ED25519 verification in ScalarUtil causes denial of service in bcprov-jdk18on.

Reporter	Title	Published	Views	Family All 141
IBM Security Bulletins	Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues	15 Apr 202505:41	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data	12 Jun 202515:38	–	ibm
IBM Security Bulletins	Security Bulletin: Apache James and Bouncy Castle vulnerabilities in Apache Solr and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2023-33202,CVE-2024-21742,CVE-2024-29857,CVE-2024-30172,CVE-2024-34447)	4 Sep 202414:41	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling B2B Integrator is affected by multiple Bouncy Castle vulnerabilities	14 Nov 202413:51	–	ibm
IBM Security Bulletins	Security Bulletin: Denial of service, DNS poisoning, and information disclosure might affect IBM Storage Defender – Resiliency Service	31 Oct 202416:25	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server.	13 Dec 202416:34	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of Bouncy Castle Rational Performance Tester is affected by multiple vulnerabilities	2 Jan 202618:05	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in Db2 affect IBM Cloud Pak Sytem	6 Nov 202409:54	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server	19 Aug 202419:53	–	ibm
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.	28 Aug 202410:52	–	ibm

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	9	any	eap7-bouncycastle	0:1.78.1-1.redhat_00002.1.el9eap.noarch	eap7-bouncycastle-0:1.78.1-1.redhat_00002.1.el9eap.noarch.noarch.rpm
Red Hat Enterprise Linux	9	any	eap7-bouncycastle-mail	0:1.78.1-1.redhat_00002.1.el9eap.noarch	eap7-bouncycastle-mail-0:1.78.1-1.redhat_00002.1.el9eap.noarch.noarch.rpm
Red Hat Enterprise Linux	9	any	eap7-bouncycastle-pg	0:1.78.1-1.redhat_00002.1.el9eap.noarch	eap7-bouncycastle-pg-0:1.78.1-1.redhat_00002.1.el9eap.noarch.noarch.rpm
Red Hat Enterprise Linux	9	any	eap7-bouncycastle-pkix	0:1.78.1-1.redhat_00002.1.el9eap.noarch	eap7-bouncycastle-pkix-0:1.78.1-1.redhat_00002.1.el9eap.noarch.noarch.rpm
Red Hat Enterprise Linux	9	any	eap7-bouncycastle-prov	0:1.78.1-1.redhat_00002.1.el9eap.noarch	eap7-bouncycastle-prov-0:1.78.1-1.redhat_00002.1.el9eap.noarch.noarch.rpm
Red Hat Enterprise Linux	9	any	eap7-bouncycastle-util	0:1.78.1-1.redhat_00002.1.el9eap.noarch	eap7-bouncycastle-util-0:1.78.1-1.redhat_00002.1.el9eap.noarch.noarch.rpm

Source	Link
access	www.access.redhat.com/security/cve/CVE-2024-30172
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-30172
bouncycastle	www.bouncycastle.org/latest_releases.html
cve	www.cve.org/CVERecord

01 Jun 2026 17:17Current

7.3High risk

Vulners AI Score7.3

CVSS 3.17.5

EPSS0.00094

SSVC

bouncy castle ed25519 verification scalarutil denial of service signature attack cryptography library