[jira] [Created] (CXF-7757) Upgrade bouncycastle dependency to fix vulnerability

[Dominique Jacques-Brissette (JIRA)]

Dominique Jacques-Brissette created CXF-7757:
------------------------------------------------

             Summary: Upgrade bouncycastle dependency to fix vulnerability
                 Key: CXF-7757
                 URL: https://issues.apache.org/jira/browse/CXF-7757
             Project: CXF
          Issue Type: Improvement
    Affects Versions: 3.2.4
            Reporter: Dominique Jacques-Brissette


Apache CXF has a dependency on org.bouncycastle:bcprov-jdk15on@1.54 which has a 
vulnerability known as CVE-2016-1000338 
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338)

We discovered it in our projects via Snyk 
https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340

The whole dependency chain is as follows

org.apache.cxf:cxf-rt-ws-security@3.2.4 > 
org.apache.wss4j:wss4j-ws-security-policy-stax@2.2.1 > 
org.apache.wss4j:wss4j-ws-security-stax@2.2.1 > 
org.apache.wss4j:wss4j-ws-security-common@2.2.1 > 
org.opensaml:opensaml-xacml-saml-impl@3.3.0 > 
org.opensaml:opensaml-saml-impl@3.3.0 > org.opensaml:opensaml-soap-impl@3.3.0 > 
org.opensaml:opensaml-soap-api@3.3.0 > org.opensaml:opensaml-xmlsec-api@3.3.0 > 
org.opensaml:opensaml-security-api@3.3.0 > org.cryptacular:cryptacular@1.1.1 > 
*org.bouncycastle:bcprov-jdk15on@1.54*

For example, if the transitive dependency cryptacular was at 1.2.2, 
then org.bouncycastle:bcprov-jdk15on@1.59 would be used and the 
vulnerability would be patched.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)