tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Pavlin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable
Date Wed, 17 Oct 2018 18:20:00 GMT

    [ https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16653994#comment-16653994
] 

Andrew Pavlin commented on TIKA-2577:
-------------------------------------

I have to agree with the comment. Next build should include the latest BouncyCastle release,
so as to avoid CVE issues. After all, just because Tika isn't using the vulnerable parts of
BouncyCastle doesn't mean other parts of the application using Tika couldn't call the defective
BouncyCastle code.

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17
is vulnerable
> --------------------------------------------------------------------------------------------------
>
>                 Key: TIKA-2577
>                 URL: https://issues.apache.org/jira/browse/TIKA-2577
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.17
>            Reporter: Abhijit Rajwade
>            Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17
(tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The {{generateSignature()}} function
in the {{DSASigner.java}} file allows the per message key (the {{k}} value in the DSA algorithm)
to be predictable while generating DSA signatures. A remote attacker can exploit this vulnerability
to determine the {{k}} value by closely observing the timings for the generation of signatures,
allowing the attacker to deduce the signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable to this
specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message