[
https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563444#comment-16563444
]
Abhijit Rajwade commented on TIKA-2699:
---------------------------------------
CVE-2016-1000352 info
Issue
[CVE-2016-1000352|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000352]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.4
CVE CVSS 2.0: 5.8
Sonatype CVSS 3.0: 4.8
Weakness
CVE CWE: [310|https://cwe.mitre.org/data/definitions/310.html]
Description from CVE
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES
implementation allowed the use of ECB mode. This mode is regarded as unsafe and
support for it has been removed from the provider.
Explanation
BouncyCastle uses an insecure encryption method when encrypting data using the
elliptic curve key exchange algorithm. The {{engineInit}} method in the
{{IESCipher}} class and {{configure}} method in the {{EC}} class implement the
ECB mode for encryption, which may result in information about the clear text
being leaked into the encrypted cipher text. An attacker with access to the
encrypted data can exploit this vulnerability by analyzing the encrypted data
for patterns that reveal information about the clear text.
Detection
The application is vulnerable by using this component and making use of ECB
mode encryption
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Functional
Data
Root Cause
IESCipher.class : [1.49, 1.56)
EC.class : [1.49, 1.56)
Advisories
Project:
[https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vu...|https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vulnerabilities-21455]
Project: [https://github.com/bcgit/bc-java]
Project: [https://www.bouncycastle.org/releasenotes.html]
Project: [https://www.bouncycastle.org/releasenotes.html]
Project: [https://github.com/bcgit/bc-java]
Project:
[https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vu...|https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vulnerabilities-21455]
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika
> --------------------------------------------------------------------------------------------------------------------
>
> Key: TIKA-2699
> URL: https://issues.apache.org/jira/browse/TIKA-2699
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.17, 1.18
> Reporter: Abhijit Rajwade
> Priority: Major
> Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57
> or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
