CVE-2024-34447: Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

May 3, 2024 (updated June 24, 2025)

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

github.com/advisories/GHSA-4h8f-2wvx-gg5w
github.com/bcgit/bc-java
github.com/bcgit/bc-java/issues/1656
github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
nvd.nist.gov/vuln/detail/CVE-2024-34447
security.netapp.com/advisory/ntap-20240614-0007
www.bouncycastle.org/latest_releases.html

Code Behaviors & Features

Detect and mitigate CVE-2024-34447 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →