{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-30171", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-19T17:18:20.969Z", "dateReserved": "2024-03-24T00:00:00", "datePublished": "2024-05-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-14T13:06:05.488818"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.bouncycastle.org/latest_releases.html"}, {"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"url": "https://security.netapp.com/advisory/ntap-20240614-0008/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:25:02.988Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.bouncycastle.org/latest_releases.html", "tags": ["x_transferred"]}, {"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171", "tags": ["x_transferred"]}, {"url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240614-0008/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-203", "lang": "en", "description": "CWE-203 Observable Discrepancy"}]}], "affected": [{"vendor": "bouncycastle", "product": "bouncy_castle_for_java", "cpes": ["cpe:2.3:a:bouncycastle:bouncy_castle_for_java:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.78", "versionType": "custom"}]}, {"vendor": "netapp", "product": "active_iq_unified_manager", "cpes": ["cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}, {"vendor": "netapp", "product": "bluexp", "cpes": ["cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}, {"vendor": "netapp", "product": "ontap_tools", "cpes": ["cpe:2.3:a:netapp:ontap_tools:-:*:*:*:*:vmware_vsphere:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9", "status": "affected"}]}, {"vendor": "netapp", "product": "oncommand_workflow_automation", "cpes": ["cpe:2.3:a:netapp:oncommand_workflow_automation:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-19T17:18:15.455507Z", "id": "CVE-2024-30171", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T17:18:20.969Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.bouncycastle.org/latest_releases.html", "tags": ["x_transferred"]}, {"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171", "tags": ["x_transferred"]}, {"url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240614-0008/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:25:02.988Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-30171", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-19T17:18:15.455507Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:bouncycastle:bouncy_castle_for_java:*:*:*:*:*:*:*:*"], "vendor": "bouncycastle", "product": "bouncy_castle_for_java", "versions": [{"status": "affected", "version": "0", "lessThan": "1.78", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*"], "vendor": "netapp", "product": "active_iq_unified_manager", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*"], "vendor": "netapp", "product": "bluexp", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:netapp:ontap_tools:-:*:*:*:*:vmware_vsphere:*:*"], "vendor": "netapp", "product": "ontap_tools", "versions": [{"status": "affected", "version": "9"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:netapp:oncommand_workflow_automation:*:*:*:*:*:*:*:*"], "vendor": "netapp", "product": "oncommand_workflow_automation", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203 Observable Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T17:14:41.308Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.bouncycastle.org/latest_releases.html"}, {"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"url": "https://security.netapp.com/advisory/ntap-20240614-0008/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-14T13:06:05.488818"}}}, "cveMetadata": {"cveId": "CVE-2024-30171", "state": "PUBLISHED", "dateUpdated": "2024-08-19T17:18:20.969Z", "dateReserved": "2024-03-24T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-09T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en la API TLS Java de Bouncy Castle y en el proveedor JSSE anterior a la versi\u00f3n 1.78. Es posible que se produzcan fugas basadas en el tiempo en los protocolos de enlace basados en RSA debido al procesamiento de excepciones."}], "id": "CVE-2024-30171", "lastModified": "2024-11-21T09:11:21.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-14T15:21:52.690", "references": [{"source": "cve@mitre.org", "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"source": "cve@mitre.org", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240614-0008/"}, {"source": "cve@mitre.org", "url": "https://www.bouncycastle.org/latest_releases.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240614-0008/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.bouncycastle.org/latest_releases.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Hubert Kario (Red Hat).", "affected_release": [{"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-db-rhel8:3.0.0-3", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:3.0.0-2", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-operator-bundle:3.0.0-2", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8:3.0.0-3", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-reports-rhel8:3.0.0-2", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-rhel8:3.0.0-2", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-rhel8-operator:3.0.0-2", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-storage-rhel8:3.0.0-3", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4173", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/jfr-datasource-rhel8:3.0.0-2", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4271", "cpe": "cpe:/a:redhat:amq_broker:7.12", "package": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat AMQ Broker 7", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:4884", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4::el6", "package": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:4505", "cpe": "cpe:/a:redhat:camel_quarkus:3", "package": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat Build of Apache Camel 4.4 for Quarkus 3.8", "release_date": "2024-07-11T00:00:00Z"}, {"advisory": "RHSA-2024:4326", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "package": "org.bouncycastle/bcprov-jdk18on:1.78.1.redhat-00002", "product_name": "Red Hat build of Quarkus 3.8.5.redhat", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:5147", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-bouncycastle-0:1.78.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-bouncycastle-0:1.78.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-bouncycastle-0:1.78.1-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5482", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-bouncycastle-0:1.78.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-0:2.21.0-5.redhat_00052.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-angus-0:2.0.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-angus-activation-0:2.0.1-3.redhat_00006.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-beanutils-0:1.9.4-13.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-cli-0:1.4.0-2.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-codec-0:1.15.0-6.redhat_00016.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-cxf-0:4.0.4-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-cxf-xjc-utils-0:4.0.0-5.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-mime4j-0:0.8.11-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-sshd-0:2.12.1-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-bouncycastle-0:1.78.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-byte-buddy-0:1.14.18-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-caffeine-0:3.1.8-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.3.0-2.GA_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-guava-failureaccess-0:1.0.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-guava-libraries-0:33.0.0-1.jre_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hal-console-0:3.6.19-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hornetq-0:2.4.9-4.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-httpcomponents-asyncclient-0:4.1.5-3.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-httpcomponents-client-0:4.5.14-4.redhat_00012.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-httpcomponents-core-0:4.4.16-4.redhat_00010.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-infinispan-0:14.0.30-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-json-api-0:2.1.3-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-mail-0:2.1.3-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-servlet-api-0:6.0.0-5.redhat_00006.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-websocket-0:2.1.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-xml-bind-api-0:4.0.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jandex-0:3.0.8-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jasypt-0:1.9.3-4.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-java-classmate-0:1.5.1-3.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jaxb-0:4.0.5-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-metadata-0:16.0.0-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-openjdk-orb-0:10.1.0-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jbossws-cxf-0:7.1.0-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-joda-time-0:2.12.7-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jsf-impl-0:4.0.7-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-mod_cluster-0:2.0.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-neethi-0:3.2.0-1.redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-opensaml-0:4.2.0-4.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-parsson-0:1.1.5-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-reactivex-rxjava-0:3.1.8-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-0:6.2.7-2.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.13-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-stax2-api-0:4.2.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-velocity-0:2.3.0-3.redhat_00009.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-weld-core-0:5.1.2-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.3-9.GA_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-discovery-0:1.3.0-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-elytron-0:2.2.6-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wsdl4j-0:1.6.3-5.redhat_00008.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wss4j-0:3.0.3-1.redhat_00008.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-xml-security-0:3.0.4-1.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}, {"advisory": "RHSA-2024:5481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-yasson-0:3.0.3-3.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-08-15T00:00:00Z"}], "bugzilla": {"description": "bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)", "id": "2276360", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276360"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-208", "details": ["An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.", "A flaw was found in the Bouncy Castle Java cryptography APIs. Affected versions of the org.bouncycastle:bcprov-jdk18on package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process (a.k.a. Marvin Attack). An attacker can recover cipher-texts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-30171", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Affected", "package_name": "org.bouncycastle-bcprov-jdk18on", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "org.bouncycastle/bcprov-jdk18on", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.bouncycastle-bcprov-jdk18on", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.bouncycastle-bcprov-jdk18on", "product_name": "streams for Apache Kafka"}], "public_date": "2024-04-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-30171\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30171\nhttps://people.redhat.com/~hkario/marvin/"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-208: Observable Timing Discrepancy vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to apply the most restrictive settings necessary for operations. Baseline configurations and system controls ensure secure software states, while least functionality reduces the attack surface by maintaining consistent settings and minimizing timing variations that could expose discrepancies. Domain accounts are configured with lockout policies to reduce the effectiveness of brute-force attacks and prevent attackers from inferring valid credentials through response timing. Event logs are centrally collected and analyzed to detect anomalous timing-based behaviors that may indicate timing attacks. Static code analysis and peer reviews enforce strong input validation and error handling, limiting the introduction of time-based exploits. Additionally, controls such as process isolation and encryption of data at rest contain the impact of successful exploitation by isolating compromised processes and preventing unauthorized data access.", "threat_severity": "Moderate"}