You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Andrew Pavlin (JIRA)" <ji...@apache.org> on 2018/10/17 18:20:00 UTC

[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable

    [ https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16653994#comment-16653994 ] 

Andrew Pavlin commented on TIKA-2577:
-------------------------------------

I have to agree with the comment. Next build should include the latest BouncyCastle release, so as to avoid CVE issues. After all, just because Tika isn't using the vulnerable parts of BouncyCastle doesn't mean other parts of the application using Tika couldn't call the defective BouncyCastle code.

> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable
> --------------------------------------------------------------------------------------------------
>
>                 Key: TIKA-2577
>                 URL: https://issues.apache.org/jira/browse/TIKA-2577
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.17
>            Reporter: Abhijit Rajwade
>            Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>  
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The {{generateSignature()}} function in the {{DSASigner.java}} file allows the per message key (the {{k}} value in the DSA algorithm) to be predictable while generating DSA signatures. A remote attacker can exploit this vulnerability to determine the {{k}} value by closely observing the timings for the generation of signatures, allowing the attacker to deduce the signer?s private key.
> Detection
> The application is vulnerable by using this component.
>  
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
> Categories
> Data
>  
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party: [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>  
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)