[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika

Abhijit Rajwade (JIRA) Tue, 31 Jul 2018 03:24:53 -0700


    [ 
https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563436#comment-16563436
 ]


Abhijit Rajwade commented on TIKA-2699:
---------------------------------------

CVE-2016-1000338 info
 
Issue 
[CVE-2016-1000338|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000338]
Source National Vulnerability Database
Severity
CVE CVSS 3.0: 7.5
CVE CVSS 2.0: 5.0
Sonatype CVSS 3.0: 3.7
 
Weakness CVE CWE: [347|https://cwe.mitre.org/data/definitions/347.html]
 
Description from CVE
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully 
validate ASN.1 encoding of signature on verification. It is possible to inject 
extra elements in the sequence making up the signature and still have it 
validate, which in some cases may allow the introduction of 'invisible' data 
into a signed structure.
Explanation
DSA does not fully validate ASN.1 encoding of signature on verification. It is 
possible to inject extra elements in the sequence making up the signature and 
still have it validate, which in some cases may allow the introduction of 
“invisible” data into a signed structure. 
Reference: https://www.bouncycastle.org/releasenotes.html
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to 
this specific issue.
Categories
Data
Root Cause
DSASigner.class : [1.47, 1.56)
Advisories
Project: [https://www.bouncycastle.org/releasenotes.html]
 

> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the 
> bouncy castle version used by Apache Tika
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: TIKA-2699
>                 URL: https://issues.apache.org/jira/browse/TIKA-2699
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.17, 1.18
>            Reporter: Abhijit Rajwade
>            Priority: Major
>              Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the 
> bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, 
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 
> or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika

Reply via email to