"Bouncy Castle Bug Puts Bcrypt Passwords at Risk"

Synopsys researchers discovered a severe authentication bypass vulnerability in a popular Java cryptography library called Bouncy Castle. The vulnerability exists in the OpenBSDBcrypt class of Bouncy Castle. The exploitation of this vulnerability could allow attackers to circumvent password checks performed by applications using the Bcrypt password hashing algorithm. Although Bouncy Castle released a patch for the bug in early November, over 90% of organizations that use the vulnerable version of this library still have not applied the patch. Bouncy Castle is used by developers across 26,000 organizations for securing applications, making the flaw a significant threat to supply chain security. This article continues to discuss the severity, potential exploitation, and impact of the Bouncy Castle bug. 

Infosecurity Magazine reports "Bouncy Castle Bug Puts Bcrypt Passwords at Risk"