[jira] [Commented] (CXF-7757) Upgrade bouncycastle dependency to fix vulnerability

Tue, 12 Jun 2018 02:22:07 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-7757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16509390#comment-16509390
 ] 

Colm O hEigeartaigh commented on CXF-7757:
------------------------------------------

CXF actually includes BouncyCastle 1.59 as a provided dependency in 
cxf-rt-ws-security, so it is not vulnerable. I did a maven dependency:tree on 
the CXF source and BouncyCastle 1.54 does not appear anywhere in the list of 
dependencies.

I think you should file a bug report with OpenSAML to upgrade the Cryptacular 
dependency instead, and then we could pick up the OpenSAML update in CXF.

> Upgrade bouncycastle dependency to fix vulnerability
> ----------------------------------------------------
>
>                 Key: CXF-7757
>                 URL: https://issues.apache.org/jira/browse/CXF-7757
>             Project: CXF
>          Issue Type: Improvement
>    Affects Versions: 3.2.4
>            Reporter: Dominique Jacques-Brissette
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> Apache CXF has a dependency on org.bouncycastle:bcprov-jdk15on@1.54 which has 
> a vulnerability known as CVE-2016-1000338 
> (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338)
> We discovered it in our projects via Snyk 
> https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340
> The whole dependency chain is as follows
> org.apache.cxf:cxf-rt-ws-security@3.2.4 > 
> org.apache.wss4j:wss4j-ws-security-policy-stax@2.2.1 > 
> org.apache.wss4j:wss4j-ws-security-stax@2.2.1 > 
> org.apache.wss4j:wss4j-ws-security-common@2.2.1 > 
> org.opensaml:opensaml-xacml-saml-impl@3.3.0 > 
> org.opensaml:opensaml-saml-impl@3.3.0 > org.opensaml:opensaml-soap-impl@3.3.0 
> > org.opensaml:opensaml-soap-api@3.3.0 > 
> org.opensaml:opensaml-xmlsec-api@3.3.0 > 
> org.opensaml:opensaml-security-api@3.3.0 > org.cryptacular:cryptacular@1.1.1 
> > *org.bouncycastle:bcprov-jdk15on@1.54*
> For example, if the transitive dependency cryptacular was at 1.2.2, 
> then org.bouncycastle:bcprov-jdk15on@1.59 would be used and the 
> vulnerability would be patched.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to