[
https://issues.apache.org/jira/browse/CXF-7757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16509390#comment-16509390
]
Colm O hEigeartaigh commented on CXF-7757:
------------------------------------------
CXF actually includes BouncyCastle 1.59 as a provided dependency in
cxf-rt-ws-security, so it is not vulnerable. I did a maven dependency:tree on
the CXF source and BouncyCastle 1.54 does not appear anywhere in the list of
dependencies.
I think you should file a bug report with OpenSAML to upgrade the Cryptacular
dependency instead, and then we could pick up the OpenSAML update in CXF.
> Upgrade bouncycastle dependency to fix vulnerability
> ----------------------------------------------------
>
> Key: CXF-7757
> URL: https://issues.apache.org/jira/browse/CXF-7757
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.2.4
> Reporter: Dominique Jacques-Brissette
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> Apache CXF has a dependency on org.bouncycastle:[email protected] which has
> a vulnerability known as CVE-2016-1000338
> (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338)
> We discovered it in our projects via Snyk
> https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340
> The whole dependency chain is as follows
> org.apache.cxf:[email protected] >
> org.apache.wss4j:[email protected] >
> org.apache.wss4j:[email protected] >
> org.apache.wss4j:[email protected] >
> org.opensaml:[email protected] >
> org.opensaml:[email protected] > org.opensaml:[email protected]
> > org.opensaml:[email protected] >
> org.opensaml:[email protected] >
> org.opensaml:[email protected] > org.cryptacular:[email protected]
> > *org.bouncycastle:[email protected]*
> For example, if the transitive dependency cryptacular was at 1.2.2,
> then org.bouncycastle:[email protected] would be used and the
> vulnerability would be patched.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
