Headline
CVE-2019-17359: bouncycastle.org
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Latest Java Releases****Release 1.72 is now available for download.
This is release is primarily a feature release, the post-quantum algorithm set has been further expanded and now includes NIST finalists Kyber, Dilithium, Falcon, as well as the Round 3/4 candidates BIKE, HQC, NTRU, NTRU Prime, and Picnic in the BCPQC provider. The finalist SPHINCS+ has also been updated to its latest submission and Haraka support has been added. An implementation of SIKE is also included (for research purposes only). Other changes include the addition of Argon2 support for OpenPGP, performance improvements for OpenPGP CRC24 calculator, support for TLS raw public keys (RFC 7250) and an algorithm/keysize constraints framework has been added via the CryptoServicesRegistrar object. Bug fixes include an issue with the construction of multi-document evidence records and an occasional error in GCMSIV tag calculation. The BCJSSE also now has TLS 1.3 enabled by default. The latest version of the Grain128AEAD has also been added to the lightweight API and the CMP support classes have been updated to reflect the latest version of the draft RFC “Lightweight Certificate Management Protocol (CMP) Profile.”
Further details on other additions and bug fixes can be found in the release notes file accompanying the release.
Java Version Details With the arrival of Java 15. jdk15 is not quite as unambiguous as it was. The jdk18on jars are compiled to work with anything from Java 1.8 up. They are also multi-release jars so do support some features that were introduced in Java 9, Java 11, and Java 15. If you have issues with multi-release jars see the jdk15to18 release jars below.
Packaging Change (users of 1.70 or earlier): BC 1.71 changed the jdk15on jars to jdk18on so the base has now moved to Java 8. For earlier JVMs, or containers/applications that cannot cope with multi-release jars, you should now use the jdk15to18 jars.
Packaging Change (users of 1.68 or earlier): BC 1.69 introduced a new jar, bcutil-*.jar, which is a collection of classes which do not need to be in the JCE provider jar, but are used by the other APIs. You will find you will need to add the bcutil jar to the class path if you are using the other BC APIs.
Change Warning (users of 1.68 or earlier): The BKS-V1 KeyStore format is now disabled by default. See releasenotes for 1.69 for details to turn it on if required.
Change Warning (users of 1.52 or earlier): The PEM Parser now returns an X509TrustedCertificate block when parsing an openssl trusted certificate, the new object was required to allow the proper return of the trusted certificate’s attribute block. Please also see the porting guide for advice on porting to this release from much earlier ones (release 1.45 or earlier).
Further Note (users of Oracle JVM 1.7 or earlier, users of “pre-Java 9” toolkits): As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular “jdk18on” jar files try the “jdk15to18” jars instead. Please also note the JCE certificate in the public access versions of Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expired on the 20th April 2021. We still counter sign the jdk15to18 jars with this certificate for compatibility reasons, but Oracle does distribute JVMs for Java 6 and Java 7 with a newer, and stronger, certificate to holders of Java Support Contracts.
Others have contributed to this release, both with code and/or financially and you can find them listed in the contributors file. We would like to thank holders of Crypto Workshop support contracts for additional time that was contributed back to this release through left over consulting time provided as part of their support agreements. Thank you, one and all!
If you’re interested in grabbing the lot in one hit (includes JCE, JCE provider, light weight API, J2ME, range of JDK compatibility classes, signed jars, fries, and king prawns…) download crypto-172.tar.gz or crypto-172.zip, otherwise if you are only interested in one version in particular, see below. Early access to our FIPS hardened version of the Java APIs is now available for both BC-FJA 1.0.3 and BC-FJA 2.0.0 as well, contact us at [email protected] for further information.
Get the most out of your Bouncy Castle experience!
Get a support contract through Crypto Workshop. We have found two things that distinguish our support contract holders from our regular user base. Developers with access to a support contract are more likely to raise an issue with us early rather than try and muddle through, and developers with access to a support contract also take a more active interest in the beta releases, both FIPS and non-FIPS. The second one is useful as it means any issues or shortfalls in the beta are able to be fixed while the updates are still in beta. The first one is a real cost saver as it does not lead to us receiving emails starting with “Our development team has spent (some number of) weeks trying to work out…” It is much cheaper to have a support contract!
Signed JAR files
From release 1.40 some implementations of encryption algorithms were removed from the regular jar files at the request of a number of users. Jars with names of the form *-ext-* still include these (at the moment the list is: NTRU).
Provider
Clean room JCE
and provider
ASN.1 Utility Classes
PKIX/CMS/EAC/PKCS
OCSP/TSP/OPENSSL
SMIME
Jakarta SMIME
OpenPGP/BCPG
DTLS/TLS API/JSSE Provider
Test Classes
JDK 1.8 and later
bcprov-jdk18on-172.jar
bcprov-ext-jdk18on-172.jar
bcutil-jdk18on-172.jar
bcpkix-jdk18on-172.jar
bcmail-jdk18on-172.jar
bcjmail-jdk18on-172.jar
bcpg-jdk18on-172.jar
bctls-jdk18on-172.jar
bctest-jdk18on-172.jar
JDK 1.5 - JDK 1.8
bcprov-jdk15to18-172.jar
bcprov-ext-jdk15to18-172.jar
bcutil-jdk15to18-172.jar
bcpkix-jdk15to18-172.jar
bcmail-jdk15to18-172.jar
bcjmail-jdk15to18-172.jar
bcpg-jdk15to18-172.jar
bctls-jdk15to18-172.jar
bctest-jdk15to18-172.jar
JDK 1.4
bcprov-jdk14-172.jar
bcprov-ext-jdk14-172.jar
bcutil-jdk14-172.jar
bcpkix-jdk14-172.jar
bcmail-jdk14-172.jar
bcpg-jdk14-172.jar
bctls-jdk14-172.jar (low-level only)
bctest-jdk14-172.jar
JDK 1.3
bcprov-jdk13-172.jar
bcprov-ext-jdk13-172.jar
jce-jdk13-172.jar
jce-ext-jdk13-172.jar
bcutil-jdk13-172.jar
bcpkix-jdk13-172.jar
bcmail-jdk13-172.jar
bcpg-jdk13-172.jar
bctest-jdk13-172.jar
JDK 1.2
bcprov-jdk12-172.jar
bcprov-ext-jdk12-172.jar
jce-jdk12-172.jar
jce-ext-jdk12-172.jar
bcpkix-jdk12-172.jar
bcpg-jdk12-172.jar
bctest-jdk12-172.jar
The following signed provider jars are provided so that you can make use of the debug information in them. In the case of the non-provider jars (bcpkix, bcpg, and bcmail), the jar files do not need to be signed to work. You can rebuild them with debug turned on, or operate directly from the source, if you need.
Providers with debug
JDK 1.8 and later
bcprov-debug-jdk18on-172.jar
bcprov-ext-debug-jdk18on-172.jar
JDK 1.5 - JDK 1.8
bcprov-debug-jdk15to18-172.jar
bcprov-ext-debug-jdk15to18-172.jar
JDK 1.4
bcprov-debug-jdk14-172.jar
bcprov-ext-debug-jdk14-172.jar
Sources and JavaDoc
DTLS/TLS API/JSSE Provider
JDK 1.8 and later
bctls-jdk18on-172.tar.gz
bctls-jdk18on-172.zip
JDK 1.4 (low-level only)
bctls-jdk14-172.tar.gz
bctls-jdk14-172.zip
ASN.1 and Utility Classes
JDK 1.8 and later
bcutil-jdk18on-172.tar.gz
bcutil-jdk18on-172.zip
JDK 1.4
bcutil-jdk14-172.tar.gz
bcutil-jdk14-172.zip
JDK 1.3
bcutil-jdk13-172.tar.gz
bcutil-jdk13-172.zip
PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL
JDK 1.8 and later
bcpkix-jdk18on-172.tar.gz
bcpkix-jdk18on-172.zip
JDK 1.4
bcpkix-jdk14-172.tar.gz
bcpkix-jdk14-172.zip
JDK 1.3
bcpkix-jdk13-172.tar.gz
bcpkix-jdk13-172.zip
JDK 1.2
bcpkix-jdk12-172.tar.gz
bcpkix-jdk12-172.zip
JDK 1.1
bcpkix-jdk11-172.tar.gz
bcpkix-jdk11-172.zip
OpenPGP/BCPG
JDK 1.8 and later
bcpg-jdk18on-172.tar.gz
bcpg-jdk18on-172.zip
JDK 1.4
bcpg-jdk14-172.tar.gz
bcpg-jdk14-172.zip
JDK 1.3
bcpg-jdk13-172.tar.gz
bcpg-jdk13-172.zip
JDK 1.2
bcpg-jdk12-172.tar.gz
bcpg-jdk12-172.zip
JDK 1.1
bcpg-jdk11-172.tar.gz
bcpg-jdk11-172.zip
SMIME
JDK 1.8 and later
bcmail-jdk18on-172.tar.gz
bcmail-jdk18on-172.zip
JDK 1.4
bcmail-jdk14-172.tar.gz
bcmail-jdk14-172.zip
JDK 1.3
bcmail-jdk13-172.tar.gz
bcmail-jdk13-172.zip
JCE with provider and lightweight API
Lightweight API
JDK 1.8 and later
bcprov-jdk18on-172.tar.gz
bcprov-jdk18on-172.zip
lcrypto-jdk18on-172.tar.gz
lcrypto-jdk18on-172.zip
JDK 1.4
bcprov-jdk14-172.tar.gz
bcprov-jdk14-172.zip
lcrypto-jdk14-172.tar.gz
lcrypto-jdk14-172.zip
JDK 1.3
jce-jdk13-172.tar.gz
jce-jdk13-172.zip
lcrypto-jdk13-172.tar.gz
lcrypto-jdk13-172.zip
JDK 1.2
jce-jdk12-172.tar.gz
jce-jdk12-172.zip
lcrypto-jdk12-172.tar.gz
lcrypto-jdk12-172.zip
JDK 1.1
jce-jdk11-172.tar.gz
jce-jdk11-172.zip
lcrypto-jdk11-172.tar.gz
lcrypto-jdk11-172.zip
J2ME
lcrypto-j2me-172.tar.gz
lcrypto-j2me-172.zip
Releases no longer maintained
JDK 1.0
lcrypto-jdk10-133.tar.gz
lcrypto-jdk10-133.zip
NOTE:
- The tar archives were created using GNU tar (some versions of Solaris tar will have problems extracting them) * The J2ME source distribution includes zips for the class files
You can find the release notes, documentation, and specifications here.
You can find checksums for confirming the integrity of the distributions here
Mirrors
Too slow? You can also find the latest versions on one of our mirrors:
- polydistortion.net
Beta Access
The current working betas, when available, for the next release for JDK 1.8 and later can be found at https://www.bouncycastle.org/betas. If you need a beta to be made available for another version of Java please ask by emailing [email protected].
Maven Access
The BC jars are now mirrored on the Maven central repository. You can find them at https://repo1.maven.org/maven2/org/bouncycastle.
GIT Access
Just want to look at the source? The source code repository is now mirrored on GitHub and accessible from here. The repository can be cloned using either
https:
git clone https://github.com/bcgit/bc-java.git
or git protocol
git clone git://github.com/bcgit/bc-java.git
CVS Access
Just want to look at the source? The source code repository is accessible via ViewVC from here
FTP Access
Previous releases, as well as the latest ones, can be downloaded from our ftp server ftp.bouncycastle.org. Please note the FTP server does not support passive mode.
Related news
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).