MEDIUM
GHSA-mx76-r943-rf8g
Bouncy Castle LTS native GCM chunking can cause bad-tag exception on decryption
Details
In Bouncy Castle LTS for Java, the AES/GCM native implementation used on Intel CPUs with AES PAA instruction sets (AVX / VAES / VAESF variants) can intermittently produce an incorrect authentication tag verification result during decryption when the ciphertext is fed in via a mix of `update()` calls followed by `doFinal()`. It is possible to work around it by either using `doFinal()` only (as the BCJSSE does) or by configuring the module to run in pure Java mode, by setting the system property "org.bouncycastle.native.cpu_variant" to java.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.bouncycastle:bcprov-lts8on
Introduced in:
2.73.0 Fixed in: 2.73.11 Fix
# pom.xml: bump <version>2.73.11</version> for org.bouncycastle:bcprov-lts8on