High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2024-34447
HighVulnerability Description
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPUAPR2026
Oracle Critical Patch Update Advisory - April 2026
USN-8108-1
USN-8108-1: Bouncy Castle vulnerabilities
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
References & Resources
-
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447cve@mitre.org
-
https://security.netapp.com/advisory/ntap-20240614-0007/cve@mitre.org
-
https://www.bouncycastle.org/latest_releases.htmlcve@mitre.org
-
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447af854a3a-2127-422b-91ae-364da2661108
-
https://security.netapp.com/advisory/ntap-20240614-0007/af854a3a-2127-422b-91ae-364da2661108
-
https://www.bouncycastle.org/latest_releases.htmlaf854a3a-2127-422b-91ae-364da2661108
Severity Details
Weakness Type (CWE)
Improper Validation of Certificate with Host Mismatch
- Description
- The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Variant
Key Information
- Published Date
- May 03, 2024
