Red Hat JBoss EAP: CVE-2025-8885: Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java .
This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.. A resource exhaustion flaw has been discovered in the Bouncy Castle for Java library. The flaw exists because there was no practical limit on the size of an encoded ASN.1 Object Identifier (OID), beyond the maximum size of an ASN1Object. While technically valid, this could be exploited by an attacker to create excessively large OIDs, which would cause uncontrolled memory consumption and lead to a denial of service (DoS) attack.
In following the practice of other providers, we have adopted a limit of 4096 bytes on the size of an encoded identifier and a cap of 16385 characters on an identifier string.