You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Md Mahir Asef Kabir (Jira)" <ji...@apache.org> on 2021/02/05 16:17:00 UTC
[jira] [Updated] (TIKA-3294) Usage of "ECB" mode for "AES" is
insecure
[ https://issues.apache.org/jira/browse/TIKA-3294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Md Mahir Asef Kabir updated TIKA-3294:
--------------------------------------
Description:
In file [https://github.com/apache/tika/blob/a43784b19f6b0955478dded71521b0491d21c90b/tika-parsers/tika-parsers-classic/tika-parsers-classic-modules/tika-parser-miscoffice-module/src/main/java/org/apache/tika/parser/hwp/HwpTextExtractorV5.java] (at Line 370) and https://github.com/apache/tika/blob/a43784b19f6b0955478dded71521b0491d21c90b/tika-parsers/tika-parsers-classic/tika-parsers-classic-modules/tika-parser-miscoffice-module/src/main/java/org/apache/tika/parser/hwp/HwpTextExtractorV5.java (at line ) the insecure "ECB" mode is used.
*Security Impact*:
ECB mode allows the attacker to do the following -
detect whether two ECB-encrypted messages are identical;
detect whether two ECB-encrypted messages share a common prefix;
detect whether two ECB-encrypted messages share other common substrings, as long as those substrings are aligned at block boundaries; or
detect whether (and where) a single ECB-encrypted message contains repetitive data (such as long runs of spaces or null bytes, repeated header fields, or coincidentally repeated phrases in the text). - Collected from [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]
*Useful Resources*:
https://blog.filippo.io/the-ecb-penguin/
*Solution we suggest*:
Use GCM mode instead of default or ECB mode.
*Please share with us your opinions/comments if there is any*:
Is the bug report helpful?
was:
In file [https://github.com/apache/tika/blob/a43784b19f6b0955478dded71521b0491d21c90b/tika-parsers/tika-parsers-classic/tika-parsers-classic-modules/tika-parser-miscoffice-module/src/main/java/org/apache/tika/parser/hwp/HwpTextExtractorV5.java] (at Line 370), the insecure "ECB" mode is used.
*Security Impact*:
ECB mode allows the attacker to do the following -
detect whether two ECB-encrypted messages are identical;
detect whether two ECB-encrypted messages share a common prefix;
detect whether two ECB-encrypted messages share other common substrings, as long as those substrings are aligned at block boundaries; or
detect whether (and where) a single ECB-encrypted message contains repetitive data (such as long runs of spaces or null bytes, repeated header fields, or coincidentally repeated phrases in the text). - Collected from [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]
*Useful Resources*:
https://blog.filippo.io/the-ecb-penguin/
*Solution we suggest*:
Use GCM mode instead of default or ECB mode.
*Please share with us your opinions/comments if there is any*:
Is the bug report helpful?
> Usage of "ECB" mode for "AES" is insecure
> ------------------------------------------
>
> Key: TIKA-3294
> URL: https://issues.apache.org/jira/browse/TIKA-3294
> Project: Tika
> Issue Type: Improvement
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> In file [https://github.com/apache/tika/blob/a43784b19f6b0955478dded71521b0491d21c90b/tika-parsers/tika-parsers-classic/tika-parsers-classic-modules/tika-parser-miscoffice-module/src/main/java/org/apache/tika/parser/hwp/HwpTextExtractorV5.java] (at Line 370) and https://github.com/apache/tika/blob/a43784b19f6b0955478dded71521b0491d21c90b/tika-parsers/tika-parsers-classic/tika-parsers-classic-modules/tika-parser-miscoffice-module/src/main/java/org/apache/tika/parser/hwp/HwpTextExtractorV5.java (at line ) the insecure "ECB" mode is used.
> *Security Impact*:
> ECB mode allows the attacker to do the following -
> detect whether two ECB-encrypted messages are identical;
> detect whether two ECB-encrypted messages share a common prefix;
> detect whether two ECB-encrypted messages share other common substrings, as long as those substrings are aligned at block boundaries; or
> detect whether (and where) a single ECB-encrypted message contains repetitive data (such as long runs of spaces or null bytes, repeated header fields, or coincidentally repeated phrases in the text). - Collected from [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]
> *Useful Resources*:
> https://blog.filippo.io/the-ecb-penguin/
> *Solution we suggest*:
> Use GCM mode instead of default or ECB mode.
> *Please share with us your opinions/comments if there is any*:
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)