Bouncy Castle is vulnerable to hash collision attacks. The library keystore files uses a HMAC hash that is only 16 bits long, allowing a malicious user to retrieve the password used for keystore integrity verification checks. This vulnerability only affects users of the BKS-V1
keystore format, which was re-introduced since 1.49. Since it is re-introduced in Bouncy Castle 1.49, users of Bouncy Castle 1.49 and above may be affected if the legacy BKS-V1 is being used. To remediate the vulnerability, ensure that there are no usage of BKS-V1.
www.securityfocus.com/bid/103453
access.redhat.com/errata/RHSA-2018:2927
cryptosense.com/blog/bouncycastle-keystore-security/
github.com/bcgit/bc-java/blob/5fdb1face92f596300323c25cba9fe18726645e8/prov/src/main/java/org/bouncycastle/jcajce/provider/keystore/BC.java#L20
insights.sei.cmu.edu/cert/2018/03/the-curious-case-of-the-bouncy-castle-bks-passwords.html
www.bouncycastle.org/releasenotes.html
www.kb.cert.org/vuls/id/306792
www.oracle.com/security-alerts/cpuoct2020.html