Abhijit Rajwade created TIKA-2577:
-------------------------------------
Summary: Sonatype Nexus Auditor is reporting that the Bouncy
castle version used by Tika 1.17 is vulnerable
Key: TIKA-2577
URL: https://issues.apache.org/jira/browse/TIKA-2577
Project: Tika
Issue Type: Bug
Affects Versions: 1.17
Reporter: Abhijit Rajwade
Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika
1.17 (tika-app-1.17.jar) is vulnerable.
Here are the details of CVE-2016-1000341.
*Explanation*
{{BouncyCastle}} is vulnerable to a Timing Attack. The {{generateSignature()}}
function in the {{DSASigner.java}} file allows the per message key (the {{k}}
value in the DSA algorithm) to be predictable while generating DSA signatures.
A remote attacker can exploit this vulnerability to determine the {{k}} value
by closely observing the timings for the generation of signatures, allowing the
attacker to deduce the signer?s private key.
Detection
The application is vulnerable by using this component.
*Recommendation*
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
*Root Cause*
tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
Advisories
Third Party:
[https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
Project: [https://www.bouncycastle.org/releasenotes.html]
*Resolution*
Refer [https://www.bouncycastle.org/releasenotes.html]
You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
--- Abhijit Rajwade
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
