ROOT-APP-MAVEN-CVE-2025-8885 CVE-2025-8885 in io.root.org.bouncycastle:bc-fips - Patched by Root

Root has patched CVE-2025-8885 in the io.root.org.bouncycastle:bc-fips package for Root:Maven. Multiple fixed versions available...

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to bc-fips

Summary IBM webMethods BPM uses bc-fips which is pulled in by webMethods Integration Server core for FIPS-compliant cryptographic operations. The BPM Process Engine relies on IS infrastructure for security but doesn't directly use Bouncy Castle APIs. Vulnerability Details CVEID:CVE-2025-8885...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in DisposalDaemon.java. In high-core environments under heavy load, the disposal thread can fall behind and allow excessive memory use. Note This issue was reported for environments...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in DisposalDaemon.java. In high-core environments under heavy load, the disposal thread can fall behind and allow excessive memory use. Note This issue was reported for environments...

Out-of-bounds Write

org.bouncycastle, bc-fips is vulnerable to Out-of-bounds Write. The vulnerability is due to improper memory handling in org/bouncycastle/jcajce/provider/BaseCipher, which allows an attacker to write data outside the intended memory bounds and potentially execute arbitrary code...

Denial Of Service (DoS)

org.bouncycastle, bc-fips is vulnerable to Denial Of Service DoS. The vulnerability is due to excessive allocation in the org.Bouncycastle.Crypto.Fips.NativeLoader module, which allows an attacker to exhaust system resources and cause a denial of service...

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write via the JCE Cipher.doFinal function in org/bouncycastle/jcajce/provider/BaseCipher when the same byte array is used for both input and output during native encrypt or decrypt operations. An attacker can cause data...

com.github.cafaudit:caf-audit-binding-elasticsearch (>=5.0.3-1321 <=5.0.4-1329), com.github.cafaudit:caf-audit-monkey-container (>=5.0.3-1321 <=5.0.4-1329) +78 more potentially affected by CVE-2025-9340 via org.bouncycastle:bc-fips (=2.1.0)

org.bouncycastle:bc-fips MAVEN version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.bouncycastle:bc-fips and may be impacted: - com.github.cafaudit:caf-audit-binding-elasticsearch =5.0.3-1321, =5.0.3-1321, =5.0.3-1321, =5.0.3-1321,...

com.github.cafaudit:caf-audit-binding-elasticsearch (>=5.0.3-1321 <=5.0.4-1329), com.github.cafaudit:caf-audit-monkey-container (>=5.0.3-1321 <=5.0.4-1329) +78 more potentially affected by CVE-2025-9341 via org.bouncycastle:bc-fips (=2.1.0)

org.bouncycastle:bc-fips MAVEN version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.bouncycastle:bc-fips and may be impacted: - com.github.cafaudit:caf-audit-binding-elasticsearch =5.0.3-1321, =5.0.3-1321, =5.0.3-1321, =5.0.3-1321,...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the AESNativeCBC class due to the use of a private instance class, rather than a private static class. An attacker can cause heap exhaustion by triggering excessive memory allocati...

com.github.cafaudit:caf-audit-binding-elasticsearch (>=5.0.3-1321 <=5.0.4-1329), com.github.cafaudit:caf-audit-monkey-container (>=5.0.3-1321 <=5.0.4-1329) +78 more potentially affected by CVE-2025-9341 via org.bouncycastle:bc-fips (=2.1.0)

org.bouncycastle:bc-fips MAVEN version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.bouncycastle:bc-fips and may be impacted: - com.github.cafaudit:caf-audit-binding-elasticsearch =5.0.3-1321, =5.0.3-1321, =5.0.3-1321, =5.0.3-1321,...

co.elastic.apm:apm-agent-attach-cli (>=1.26.0 <=1.55.6), com.adobe.documentservices:pdfservices-sdk (>=2.2.2 <=3.5.1) +169 more potentially affected by CVE-2025-8885 via org.bouncycastle:bc-fips (>=1.0.1 <=1.0.2.5)

org.bouncycastle:bc-fips MAVEN version =1.0.1, =1.26.0, =2.2.2, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.17.4.0 and more Source cves: CVE-2025-8885 Source advisory:...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption...

co.elastic.apm:apm-agent-attach-cli (>=1.26.0 <=1.49.0), com.adobe.documentservices:pdfservices-sdk (>=2.2.2 <=3.5.1) +164 more potentially affected by CVE-2024-29857 via org.bouncycastle:bc-fips (>=1.0.1 <=1.0.2.4)

org.bouncycastle:bc-fips MAVEN version =1.0.1, =1.26.0, =2.2.2, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.16.8.0, =4.17.4.0 and more Source cves: CVE-2024-29857 Source advisory:...

Information Disclosure

bc-fips is vulnerable to Information Disclosure. The vulnerability exists because the temporary keys used in the module get zeroed out while still in use by the module, resulting in an error or potential information loss. This vulnerability only affects Java 13 or later...

co.elastic.apm:apm-agent-attach-cli (>=1.26.0 <=1.49.0), com.adobe.documentservices:pdfservices-sdk (>=2.2.2 <=3.5.0) +105 more potentially affected by CVE-2022-45146 via org.bouncycastle:bc-fips (>=1.0.1 <=1.0.2.3)

org.bouncycastle:bc-fips MAVEN version =1.0.1, =1.26.0, =2.2.2, =2.10.6.9, =2.10.6.9, =2.10.6.9, =2.10.6.9, =3.0.34.RELEASE, =8.0.0, =16.1.0, =1.2.0, =3.1.23, =3.0.0-FINAL, =3.0.0-FINAL, =0.6.0, =0.7.0 - io.github.embedded-middleware:embedded-bookkeeper-core =0.0.1 and more Source cves:...

CVE-2022-45146

An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module,...