You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Tim Allison (JIRA)" <ji...@apache.org> on 2018/10/17 18:35:00 UTC

[jira] [Resolved] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

     [ https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tim Allison resolved TIKA-2577.
-------------------------------
       Resolution: Fixed
    Fix Version/s: 1.19

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable
> --------------------------------------------------------------------------------------------------
>
>                 Key: TIKA-2577
>                 URL: https://issues.apache.org/jira/browse/TIKA-2577
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.17
>            Reporter: Abhijit Rajwade
>            Priority: Major
>             Fix For: 1.19
>
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The {{generateSignature()}} function in the {{DSASigner.java}} file allows the per message key (the {{k}} value in the DSA algorithm) to be predictable while generating DSA signatures. A remote attacker can exploit this vulnerability to determine the {{k}} value by closely observing the timings for the generation of signatures, allowing the attacker to deduce the signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)