More organized information.
Vulnarability
Severity
Package/jar
Description
CVE-2018-1000613
High
bcprov-jdk15on-1.59.jar
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs
version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled
Input to Select Classes or Code ('Unsafe Reflection') vulnerability in
XMSS/XMSS^MT private key deserialization that can result in Deserializing an
XMSS/XMSS^MT private key can result in the execution of unexpected code.. This
attack appear to be exploitable via A handcrafted private key can include
references to unexpected classes which will be picked up from the class path
for the executing application.. This vulnerability appears to have been fixed
in 1.60 and later.
CVE 2009-0001
Medium
commons-codec-1.11.jar
Not all "business" method implementations of public API in Apache Commons Codec
1.x are thread safe, which might disclose the wrong data or allow an attacker
to change non-private fields.
From: Dnyaneshwar Pawar <[email protected]>
Sent: Wednesday, October 10, 2018 12:35 PM
To: [email protected]
Subject: Security issues for NiFi's supporting libs.
Hi,
We are using Apache NiFi 1.7.0 and the security scan has high severity issues
for Bouncy castle bcprov-jdk15on-1.59 and Apache's commons-codec lib. How
should we address them? The Bouncy Castle upgraded them to fix the issues. What
about commons codec and are they available in 1.7.1?
Thanks in advance.
Regards,
Dnyaneshwar Pawar
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
