VDB
KO
MEDIUM

GHSA-mx76-r943-rf8g

Bouncy Castle LTS native GCM chunking can cause bad-tag exception on decryption

Details

In Bouncy Castle LTS for Java, the AES/GCM native implementation used on Intel CPUs with AES PAA instruction sets (AVX / VAES / VAESF variants) can intermittently produce an incorrect authentication tag verification result during decryption when the ciphertext is fed in via a mix of `update()` calls followed by `doFinal()`. It is possible to work around it by either using `doFinal()` only (as the BCJSSE does) or by configuring the module to run in pure Java mode, by setting the system property "org.bouncycastle.native.cpu_variant" to java.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.bouncycastle:bcprov-lts8on
Introduced in: 2.73.0 Fixed in: 2.73.11
Fix # pom.xml: bump <version>2.73.11</version> for org.bouncycastle:bcprov-lts8on

References