CVE-2024-29857

Name of the Vulnerable Software and Affected Versions: Bouncy Castle Java (BC Java) versions 1.78 and earlier Bouncy Castle Java LTS (BC Java LTS) versions 2.73.6 and earlier Bouncy Castle FIPS Java API (BC-FJA) versions 1.0.2.5 and earlier Bouncy Castle C# .Net versions 2.3.1 and earlier Bamboo Data Center and Server versions prior to 9.2.14, 9.5.4, and 9.6.2 Confluence Data Center and Server versions prior to 7.19.26, 8.5.12, 8.9.4, and 9.0.1

Description: An issue was discovered in ECCurve.java and ECCurve.cs, which can lead to excessive CPU consumption during the evaluation of the curve parameters when importing an EC certificate with crafted F2m parameters. This can allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction.

Recommendations: For Bouncy Castle Java (BC Java) versions 1.78 and earlier, update to version 1.78 or later. For Bouncy Castle Java LTS (BC Java LTS) versions 2.73.6 and earlier, update to version 2.73.6 or later. For Bouncy Castle FIPS Java API (BC-FJA) versions 1.0.2.5 and earlier, update to version 1.0.2.5 or later. For Bouncy Castle C# .Net versions 2.3.1 and earlier, update to version 2.3.1 or later. For Bamboo Data Center and Server versions prior to 9.2.14, 9.5.4, and 9.6.2, upgrade to a release greater than or equal to 9.2.14, 9.5.4, or 9.6.2. For Confluence Data Center and Server versions prior to 7.19.26, 8.5.12, 8.9.4, and 9.0.1, upgrade to a release greater than or equal to 7.19.26, 8.5.12, 8.9.4, or 9.0.1.