[
https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563439#comment-16563439
]
Abhijit Rajwade commented on TIKA-2699:
---------------------------------------
CVE-2016-1000343 info
Issue
[CVE-2016-1000343|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000343]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.5
CVE CVSS 2.0: 5.0
Sonatype CVSS 3.0: 3.7
Weakness
CVE CWE: [310|https://cwe.mitre.org/data/definitions/310.html]
Description from CVE
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair
generator generates a weak private key if used with default values. If the JCA
key pair generator is not explicitly initialised with DSA parameters, 1.55 and
earlier generates a private value assuming a 1024 bit key size. In earlier
releases this can be dealt with by explicitly passing parameters to the key
pair generator.
Explanation
{{BouncyCastle}} package is vulnerable to weak key generation when using DSA
for encryption and/or signing. The generateKeyPair(){{method in
the}}KeyPairGeneratorSp` class uses a small value when generating the private
key. This makes it easier for an attacker to brute-force the private key, which
will result in the decryption of information or impersonation of the vulnerable
server.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
Root Cause
KeyPairGeneratorSpi.class : [1.47, 1.56)
Advisories
Project: [https://www.bouncycastle.org/releasenotes.html]
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika
> --------------------------------------------------------------------------------------------------------------------
>
> Key: TIKA-2699
> URL: https://issues.apache.org/jira/browse/TIKA-2699
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.17, 1.18
> Reporter: Abhijit Rajwade
> Priority: Major
> Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57
> or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
