fix(security): upgrade Bouncy Castle 1.70 → 1.84 (CVE-2025-14813)

[mbiuki]

Summary

Upgrade the bcprov / bcpkix dependencies from 1.70 → 1.84 to clear customer scanner findings on CVE-2025-14813. The artifactId rename jdk15on → jdk18on (mandatory above BC 1.71) lands in the same patch.

CVE

• CVE-2025-14813 — Bouncy Castle BC-JAVA bcprov, CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). The GOSTCTR mode cannot correctly process more than 255 blocks.
• Affected version ranges: 1.59 → 1.80.2, 1.81 → 1.81.1, 1.82 → 1.84.
• Fixed in 1.80.2, 1.81.1, 1.84.
• CVSS not yet scored by NVD.
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-14813

dotCMS exposure (real-world risk: near zero)

The vulnerable code path is GOSTCTR — gh api search/code?q=GOSTCTR+repo:dotCMS/core returns 0 results. dotCMS does not invoke GOSTCTR anywhere. Customer is blocked by a scanner doing version-match on the transitive dependency, not by an exploitable code path. Upgrade is still the right move — gets us off a 3-year-old crypto release and unblocks the customer.

Note: there is a vendored BC fork under dotCMS/src/enterprise/java/com/dotcms/enterprise/license/bouncycastle/... (license-checker), including some GOST3410/ECGOST3410 classes — but no GOSTCTR file. Out of scope for this CVE; flagging for future cleanup.

Patch scope

Tag-only/version-only edits:

• bom/application/pom.xml (single source of truth per CLAUDE.md "Maven versions" rule):
  • <bouncy-castle.version>1.70</bouncy-castle.version> → 1.84
  • <artifactId>bcpkix-jdk15on</artifactId> → bcpkix-jdk18on
  • <artifactId>bcprov-jdk15on</artifactId> → bcprov-jdk18on
• dotCMS/pom.xml (artifactId references only — no version literal):
  • <artifactId>bcpkix-jdk15on</artifactId> → bcpkix-jdk18on
  • <artifactId>bcprov-jdk15on</artifactId> → bcprov-jdk18on

No application-code changes required. Bouncy Castle 1.71+ requires Java 1.8+; dotCMS runs on Java 21, so the jdk18on family applies cleanly.

Plan

1. Open this issue (tracking) ← here.
2. Land patch on main (PR opened on issue-{this-issue}-cve-2025-14813-bouncy-castle).
3. CI is the verification gate — local full test suite is impractical for this repo (CLAUDE.md warns against it).
4. Backport to dotcms/dotcms25.07.10_lts_v9_4f49576 (same diff, both branches start from BC 1.70).

Customer context

• Reporter: Customer via Freshdesk ticket 37703.
• Customer provided their own patch + confirmed local compile and "no breaking changes." We're not applying the customer patch directly — instead writing the same edits ourselves so the diff is auditable and matches our convention rules.

Verification

• PR CI green on main
• LTS backport PR opened
• LTS PR CI green
• Customer scanner no longer flags CVE-2025-14813 after release

[github-actions]

PRs linked to this issue

• fix(security): [LTS 25.07.10] upgrade Bouncy Castle 1.70 → 1.84 (CVE-2025-14813) by @mbiuki
• fix(security): upgrade Bouncy Castle 1.70 → 1.84 (CVE-2025-14813) by @mbiuki
• fix(security): upgrade Bouncy Castle 1.81 → 1.84 (CVE-2025-14813) by @abdulbasit-syed

[github-actions]

PRs:

• fix(security): [release-25.07.10_lts] upgrade Bouncy Castle 1.70 → 1.84 (CVE-2025-14813) #35997