CVE-2024-34447: CVE-2024-34447: Hostname Verification Bypass in Bouncy Castle Java JSSE

CVE-2024-34447: Hostname Verification Bypass in Bouncy Castle Java JSSE

Vulnerability ID: CVE-2024-34447
CVSS Score: 7.5
Published: 2024-05-03

A vulnerability in the Bouncy Castle Crypto Package for Java (BCJSSE) permits adversaries to bypass TLS hostname verification. By exploiting a fallback mechanism that evaluates the peer's IP address instead of the intended hostname, an attacker capable of DNS spoofing can conduct Adversary-in-the-Middle (AitM) attacks to intercept encrypted traffic.

TL;DR

Bouncy Castle JSSE < 1.78 incorrectly falls back to IP-based hostname verification when an explicit hostname is not provided during socket initialization. Attackers can leverage DNS spoofing to perform MitM attacks by presenting a valid certificate for the spoofed IP address.

---

Technical Details

• CWE ID: CWE-295
• Attack Vector: Network
• CVSS Score: 7.5 (High)
• EPSS Score: 0.00227
• Exploit Status: No Public PoC
• KEV Status: Not Listed

Affected Systems

• Bouncy Castle Crypto Package (Java)
• Bouncy Castle (LTS)
• Bouncy Castle FIPS TLS (Java)
• Bouncy Castle Crypto Package (Java): < 1.78 (Fixed in: 1.78)
• Bouncy Castle (LTS): < 2.73.6 (Fixed in: 2.73.6)
• Bouncy Castle FIPS TLS (Java): < 1.0.19 (Fixed in: 1.0.19)

Code Analysis

Commit: c47f644

Fix hostname verification fallback logic and introduce SetHostSocketFactory

--- a/ProvSSLSocketDirect.java
+++ b/ProvSSLSocketDirect.java
@@ -100,10 +100,14 @@
-        if (useClientMode && provJdkTlsTrustNameService)
+        if (!useClientMode)
+        {
+            this.peerHost = peerAddress.getHostAddress();
+        }
+        else if (provJdkTlsTrustNameService)
         {
             this.peerHost = peerAddress.getHostName();
         }
         else
         {
-            this.peerHost = peerAddress.getHostAddress();
+            this.peerHost = null;
         }

Mitigation Strategies

• Upgrade Bouncy Castle Java packages to patched versions
• Explicitly configure socket hostnames using setHost() during custom implementations
• Deploy DNSSEC to prevent malicious DNS resolution redirection

Remediation Steps:

1. Identify all projects utilizing Bouncy Castle JSSE dependencies
2. Update maven/gradle build files to require bc-java >= 1.78, bc-lts >= 2.73.6, or bc-fips >= 1.0.19
3. Review custom HttpsURLConnection or SSLSocketFactory implementations to ensure explicit hostname binding
4. Validate that endpoint identification enforces strict FQDN matching via code audits

References

• GitHub Advisory GHSA-4h8f-2wvx-gg5w
• NVD Entry for CVE-2024-34447
• Bouncy Castle Wiki: CVE-2024-34447
• GitHub Issue #1656 - Discussion on fix validation

---

Read the full report for CVE-2024-34447 on our website for more details including interactive diagrams and full exploit analysis.