CVE-2024-34447

Name of the Vulnerable Software and Affected Versions Bouncy Castle Java Cryptography APIs versions prior to 1.78

Description An issue was discovered in the Bouncy Castle Java Cryptography APIs. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname, hostname verification could be performed against a DNS-resolved IP address in some situations. This opens up a possibility of DNS poisoning.

Recommendations For versions prior to 1.78, update to version 1.78 or later to resolve the issue. As a temporary workaround, consider disabling endpoint identification in the BCJSSE to minimize the risk of exploitation. Restrict access to SSL sockets created without an explicit hostname to prevent potential DNS poisoning attacks.