On Oct 10, 2018, at 4:50 PM, Dnyaneshwar Pawar <email@example.com> wrote:More organized information.
Vulnarability Severity Package/jar Description CVE-2018-1000613 High bcprov-jdk15on-1.59.jar Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.
CVE 2009-0001 Medium commons-codec-1.11.jar
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
We are using Apache NiFi 1.7.0 and the security scan has high severity issues for Bouncy castle bcprov-jdk15on-1.59 and Apache’s commons-codec lib. How should we address them? The Bouncy Castle upgraded them to fix the issues. What about commons codec and are they available in 1.7.1?Thanks in advance.
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.