[ 
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16369070#comment-16369070
 ] 

Abhijit Rajwade commented on TIKA-2577:
---------------------------------------

Bouncy castle seems to be used by Tika for support of encrypted documents,

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 is vulnerable
> --------------------------------------------------------------------------------------------------
>
>                 Key: TIKA-2577
>                 URL: https://issues.apache.org/jira/browse/TIKA-2577
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.17
>            Reporter: Abhijit Rajwade
>            Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The 
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the 
> per message key (the {{k}} value in the DSA algorithm) to be predictable 
> while generating DSA signatures. A remote attacker can exploit this 
> vulnerability to determine the {{k}} value by closely observing the timings 
> for the generation of signatures, allowing the attacker to deduce the 
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: 
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to