yes, ROR uses these two BouncyCastle jars. None of them have known CVEs.
In our project, we use OWASP Dependency-Check | OWASP Foundation to make sure our dependencies have no CVEs. Obviously, I checked these two manually to make sure that the reported CVEs are false positives. Maybe you should contact Blackduck creators and report the issue (false positive reports).
But thanks for raising the flag. CVEs are an important topic in security software, so we always double-check if someone has doubts.