Upgrade Bouncy Castle FIPS dependencies #112989
Conversation
This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions.
slobodanadamovic
added
>upgrade
:Security/Security
|
Documentation preview: |
|
Hi @slobodanadamovic, I've created a changelog YAML for you. |
…adamovic/elasticsearch into sa-upgrade-bc-fips-dependencies
|
@elasticmachine update branch |
|
@slobodanadamovic Upgrading https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4743 (certificate for |
|
@h3xcat - We strive to keep Elasticsearch dependencies free from CVE's. This upgrade is to address CVE-2024-29857 , which Elasticsearch (the service) is not susceptible, out of the box, since Bouncy Castle is not shipped or configured (out of the box) as a JCE/JSSE provider. It is used in ancillary functions and for testing to ensure that our guidance for how to be compliant works. This change will update the dependency for those ancillary functions and which version we test against and our guidance for FIPS compliance. After internal discussion and a quick consult with a consultant we decided to proceed with the upgrade to the dependency. There will always be a time difference between a CVE being reported and a FIPS module being able to be re-certified. So what is the appropriate action ? Ship/recommend a dependency with CVE(s); with certification vs. ship/recommend a dependency without CVE(s); not certified ? FedRAMP helps to answer that: https://www.fedramp.gov/updates/docs/cryptographic-module/ : "FedRAMP generally prefers use of an unvalidated module with no known vulnerabilities over the use of a known-vulnerable validated module." So that is the rationale to why we plan upgrade this dependency, and will be our general stance going forward. There are arguments to made both ways, but we believe that the default should be CVE free. In this case, Bouncy Castle 1.x / FIPS 140-2 module (per bcgit/bc-java#1688 (comment)) will never be re-certified, but the point remains to prefer no vulnerabilities over the version in the certification. There are plans to upgrade our support to Bouncy Castle 2.0.0 with FIPS 140-3 compliance, but that will take a bit before that can be fully supported. |
slobodanadamovic
added
auto-backport
|
Pinging @elastic/es-security (Team:Security) |
This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions.
This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions.
This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions.
This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions.
This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions. (cherry picked from commit 6ea3e01)
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions. (cherry picked from commit 6ea3e01) Co-authored-by: Slobodan Adamović <[email protected]>
) This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions. (cherry picked from commit 6ea3e01) Co-authored-by: Slobodan Adamović <[email protected]>
7 participants
This PR updates
bc-fipsandbctls-fipsdependencies to the latest minor versions.