David Hook

**Name of the Vulnerable Software and Affected Versions** Bouncy Castle Java TLS API and JSSE Provider versions prior to 1.78 **Description** An issue may cause timing-based leakage in RSA based handshakes due to exception processing. **Recommendations** For versions prior to 1.78, update to version 1.78 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Bouncy Castle Java Cryptography APIs versions prior to 1.78 **Description** An issue was discovered in the Bouncy Castle Java Cryptography APIs. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname, hostname verification could be performed against a DNS-resolved IP address in some situations. This opens up a possibility of DNS poisoning. **Recommendations** For versions prior to 1.78, update to version 1.78 or later to resolve the issue. As a temporary workaround, consider disabling endpoint identification in the BCJSSE to minimize the risk of exploitation. Restrict access to SSL sockets created without an explicit hostname to prevent potential DNS poisoning attacks.

Name of the Vulnerable Software and Affected Versions: Bouncy Castle Java (BC Java) versions 1.78 and earlier Bouncy Castle Java LTS (BC Java LTS) versions 2.73.6 and earlier Bouncy Castle FIPS Java API (BC-FJA) versions 1.0.2.5 and earlier Bouncy Castle C# .Net versions 2.3.1 and earlier Bamboo Data Center and Server versions prior to 9.2.14, 9.5.4, and 9.6.2 Confluence Data Center and Server versions prior to 7.19.26, 8.5.12, 8.9.4, and 9.0.1 Description: An issue was discovered in ECCurve.java and ECCurve.cs, which can lead to excessive CPU consumption during the evaluation of the curve parameters when importing an EC certificate with crafted F2m parameters. This can allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction. Recommendations: For Bouncy Castle Java (BC Java) versions 1.78 and earlier, update to version 1.78 or later. For Bouncy Castle Java LTS (BC Java LTS) versions 2.73.6 and earlier, update to version 2.73.6 or later. For Bouncy Castle FIPS Java API (BC-FJA) versions 1.0.2.5 and earlier, update to version 1.0.2.5 or later. For Bouncy Castle C# .Net versions 2.3.1 and earlier, update to version 2.3.1 or later. For Bamboo Data Center and Server versions prior to 9.2.14, 9.5.4, and 9.6.2, upgrade to a release greater than or equal to 9.2.14, 9.5.4, or 9.6.2. For Confluence Data Center and Server versions prior to 7.19.26, 8.5.12, 8.9.4, and 9.0.1, upgrade to a release greater than or equal to 7.19.26, 8.5.12, 8.9.4, or 9.0.1.