Abhijit Rajwade created TIKA-2577: ------------------------------------- Summary: Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable Key: TIKA-2577 URL: https://issues.apache.org/jira/browse/TIKA-2577 Project: Tika Issue Type: Bug Affects Versions: 1.17 Reporter: Abhijit Rajwade
Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 (tika-app-1.17.jar) is vulnerable. Here are the details of CVE-2016-1000341. *Explanation* {{BouncyCastle}} is vulnerable to a Timing Attack. The {{generateSignature()}} function in the {{DSASigner.java}} file allows the per message key (the {{k}} value in the DSA algorithm) to be predictable while generating DSA signatures. A remote attacker can exploit this vulnerability to determine the {{k}} value by closely observing the timings for the generation of signatures, allowing the attacker to deduce the signer?s private key. Detection The application is vulnerable by using this component. *Recommendation* We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data *Root Cause* tika-app-1.17.jar *<=* DSASigner.class : (, 1.56) tika-app-1.17.jar *<=* DSASigner.class : (,1.56) Advisories Third Party: [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/] Project: [https://www.bouncycastle.org/releasenotes.html] *Resolution* Refer [https://www.bouncycastle.org/releasenotes.html] You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341 Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer. --- Abhijit Rajwade -- This message was sent by Atlassian JIRA (v7.6.3#76005)