[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika

Tue, 31 Jul 2018 03:26:24 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563438#comment-16563438
 ] 

Abhijit Rajwade commented on TIKA-2699:
---------------------------------------

CVE-2016-1000342 info 
 
Issue
[CVE-2016-1000342|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000342]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.5
CVE CVSS 2.0: 5.0
Sonatype CVSS 3.0: 3.7
Weakness
CVE CWE: [347|https://cwe.mitre.org/data/definitions/347.html]
Description from CVE
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully 
validate ASN.1 encoding of signature on verification. It is possible to inject 
extra elements in the sequence making up the signature and still have it 
validate, which in some cases may allow the introduction of 'invisible' data 
into a signed structure.
Explanation
ECDSA does not fully validate ASN.1 encoding of signature on verification. It 
is possible to inject extra elements in the sequence making up the signature 
and still have it validate, which in some cases may allow the introduction of 
“invisible” data into a signed structure. 
Reference: https://www.bouncycastle.org/releasenotes.html
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to 
this specific issue.
Categories
Data
Root Cause
SignatureSpi.class : [1.47, 1.56)
Advisories
Project: [ 
https://www.bouncycastle.org/releasenotes.html|https://www.bouncycastle.org/releasenotes.html]
 

> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the 
> bouncy castle version used by Apache Tika
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: TIKA-2699
>                 URL: https://issues.apache.org/jira/browse/TIKA-2699
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.17, 1.18
>            Reporter: Abhijit Rajwade
>            Priority: Major
>              Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the 
> bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, 
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 
> or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to