Latest versions of Lucee using Bouncy Castle version 1.38 with over 20 CVE vulnerabilities

The latest versions of Lucee are still using Bouncy Castle version 1.38. This version is from 2009-07-09. How do we go about updating this version of Bouncy Castle?

The current version is 1.77

Bouncy Castle 1.38 is coming from extensions and is not part of Lucee core. I found this in my research.

Extensions that I know of that are using Bouncy Castle 1.38

  • PDF
  • S3 Resource

I am currently working with developers at Bouncy Castle LTS version 2.73.4 to get the OSGi information included and secure. Since any LTS version is just that long term these Extensions might want to update to the latest Bouncy Castle LTS version.

The version that is in use - does not support ED25519 encryption.
So you currently cannout use an ED25519 certtificate for authentication with CFFTP

I counted over 20 vulnerabilities in Bouncy Castle version 1.38

1 Like