[ https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Allison resolved TIKA-2577. ------------------------------- Resolution: Fixed Fix Version/s: 1.19 > Sonatype Nexus Auditor is reporting that the Bouncy castle version used by > Tika 1.17 is vulnerable > -------------------------------------------------------------------------------------------------- > > Key: TIKA-2577 > URL: https://issues.apache.org/jira/browse/TIKA-2577 > Project: Tika > Issue Type: Bug > Affects Versions: 1.17 > Reporter: Abhijit Rajwade > Priority: Major > Fix For: 1.19 > > > Sonatype Nexus Auditor is reporting that the Bouncy castle version used by > Tika 1.17 (tika-app-1.17.jar) is vulnerable. > Here are the details of CVE-2016-1000341. > > *Explanation* > {{BouncyCastle}} is vulnerable to a Timing Attack. The > {{generateSignature()}} function in the {{DSASigner.java}} file allows the > per message key (the {{k}} value in the DSA algorithm) to be predictable > while generating DSA signatures. A remote attacker can exploit this > vulnerability to determine the {{k}} value by closely observing the timings > for the generation of signatures, allowing the attacker to deduce the > signer?s private key. > Detection > The application is vulnerable by using this component. > > *Recommendation* > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > > *Root Cause* > tika-app-1.17.jar *<=* DSASigner.class : (, 1.56) > tika-app-1.17.jar *<=* DSASigner.class : (,1.56) > Advisories > Third Party: > [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/] > Project: [https://www.bouncycastle.org/releasenotes.html] > > *Resolution* > Refer [https://www.bouncycastle.org/releasenotes.html] > You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341 > Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer. > --- Abhijit Rajwade > -- This message was sent by Atlassian JIRA (v7.6.3#76005)