[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

2018-10-17 Thread Tim Allison (JIRA) 


[ 
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16654010#comment-16654010
 ] 

Tim Allison commented on TIKA-2577:
---

Agreed. Tika 1.19.1 uses BouncyCastle 1.60.  I just added the 
{{versions-maven-plugin}} so that we can track updates more easily.

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 is vulnerable
> --
>
> Key: TIKA-2577
> URL: https://issues.apache.org/jira/browse/TIKA-2577
> Project: Tika
>  Issue Type: Bug
>Affects Versions: 1.17
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The 
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the 
> per message key (the {{k}} value in the DSA algorithm) to be predictable 
> while generating DSA signatures. A remote attacker can exploit this 
> vulnerability to determine the {{k}} value by closely observing the timings 
> for the generation of signatures, allowing the attacker to deduce the 
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: 
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

2018-10-17 Thread Andrew Pavlin (JIRA) 


[ 
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16653994#comment-16653994
 ] 

Andrew Pavlin commented on TIKA-2577:
-

I have to agree with the comment. Next build should include the latest 
BouncyCastle release, so as to avoid CVE issues. After all, just because Tika 
isn't using the vulnerable parts of BouncyCastle doesn't mean other parts of 
the application using Tika couldn't call the defective BouncyCastle code.

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 is vulnerable
> --
>
> Key: TIKA-2577
> URL: https://issues.apache.org/jira/browse/TIKA-2577
> Project: Tika
>  Issue Type: Bug
>Affects Versions: 1.17
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The 
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the 
> per message key (the {{k}} value in the DSA algorithm) to be predictable 
> while generating DSA signatures. A remote attacker can exploit this 
> vulnerability to determine the {{k}} value by closely observing the timings 
> for the generation of signatures, allowing the attacker to deduce the 
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: 
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

2018-02-19 Thread Abhijit Rajwade (JIRA) 

[ 
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16369097#comment-16369097
 ] 

Abhijit Rajwade commented on TIKA-2577:
---

Never the less TPS scanning tools like Nexus auditor see bouncy castle 
vulnerable version packaged with Apach Tika and report this vulnerability. It 
would be nice if you upgraded the Bouncy castle version in a future release so 
that we dont have to track this particular exclusion when tracking Nexus 
auditor issues for our consuming application

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 is vulnerable
> --
>
> Key: TIKA-2577
> URL: https://issues.apache.org/jira/browse/TIKA-2577
> Project: Tika
>  Issue Type: Bug
>Affects Versions: 1.17
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The 
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the 
> per message key (the {{k}} value in the DSA algorithm) to be predictable 
> while generating DSA signatures. A remote attacker can exploit this 
> vulnerability to determine the {{k}} value by closely observing the timings 
> for the generation of signatures, allowing the attacker to deduce the 
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: 
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

2018-02-19 Thread Nick Burch (JIRA) 

[ 
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16369075#comment-16369075
 ] 

Nick Burch commented on TIKA-2577:
--

Given that Tika only uses BouncyCastle for decryption, not encryption/signing, 
I'm not sure that this CVE affects us?

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 is vulnerable
> --
>
> Key: TIKA-2577
> URL: https://issues.apache.org/jira/browse/TIKA-2577
> Project: Tika
>  Issue Type: Bug
>Affects Versions: 1.17
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The 
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the 
> per message key (the {{k}} value in the DSA algorithm) to be predictable 
> while generating DSA signatures. A remote attacker can exploit this 
> vulnerability to determine the {{k}} value by closely observing the timings 
> for the generation of signatures, allowing the attacker to deduce the 
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: 
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

2018-02-19 Thread Abhijit Rajwade (JIRA) 

[ 
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16369070#comment-16369070
 ] 

Abhijit Rajwade commented on TIKA-2577:
---

Bouncy castle seems to be used by Tika for support of encrypted documents,

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 is vulnerable
> --
>
> Key: TIKA-2577
> URL: https://issues.apache.org/jira/browse/TIKA-2577
> Project: Tika
>  Issue Type: Bug
>Affects Versions: 1.17
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by 
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The 
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the 
> per message key (the {{k}} value in the DSA algorithm) to be predictable 
> while generating DSA signatures. A remote attacker can exploit this 
> vulnerability to determine the {{k}} value by closely observing the timings 
> for the generation of signatures, allowing the attacker to deduce the 
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: 
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)