[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

Wed, 17 Oct 2018 11:20:08 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16653994#comment-16653994
 ] 

Andrew Pavlin commented on TIKA-2577:
-------------------------------------

I have to agree with the comment. Next build should include the latest 
BouncyCastle release, so as to avoid CVE issues. After all, just because Tika 
isn't using the vulnerable parts of BouncyCastle doesn't mean other parts of 
the application using Tika couldn't call the defective BouncyCastle code.

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 is vulnerable
> --------------------------------------------------------------------------------------------------
>
>                 Key: TIKA-2577
>                 URL: https://issues.apache.org/jira/browse/TIKA-2577
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.17
>            Reporter: Abhijit Rajwade
>            Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The 
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the 
> per message key (the {{k}} value in the DSA algorithm) to be predictable 
> while generating DSA signatures. A remote attacker can exploit this 
> vulnerability to determine the {{k}} value by closely observing the timings 
> for the generation of signatures, allowing the attacker to deduce the 
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: 
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to