You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Abhijit Rajwade (JIRA)" <ji...@apache.org> on 2018/07/31 10:27:00 UTC
[jira] [Comment Edited] (TIKA-2699) Security: Sonatype Nexus scan
is reporting multiple vulnearbilities on the bouncy castle version used by
Apache Tika
[ https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563437#comment-16563437 ]
Abhijit Rajwade edited comment on TIKA-2699 at 7/31/18 10:26 AM:
-----------------------------------------------------------------
CVE-2016-1000340 info
Issue
[CVE-2016-1000340|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000340]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.5
CVE CVSS 2.0: 5.0
Sonatype CVSS 3.0: 4.8
Weakness
CVE CWE: [19|https://cwe.mitre.org/data/definitions/19.html]
Description from CVE
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Explanation
“Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.”
Reference: [http://www.bouncycastle.org/releasenotes.html]
Detection
The application is vulnerable by using this component with static Elliptic curve Diffie–Hellman (ECDH) ciphersuites enabled.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Categories
Functional
Root Cause
Nat256.class : [1.53,1.56)
Nat224.class : [1.53,1.56)
Nat128.class : [1.53,1.56)
Nat192.class : [1.53,1.56)
Nat160.class : [1.53,1.56)
Advisories
Project: [http://www.bouncycastle.org/releasenotes.html]
was (Author: arajwade):
CVE-2016-1000340 info
Issue
[CVE-2016-1000340|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000340]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.5
CVE CVSS 2.0: 5.0
Sonatype CVSS 3.0: 4.8
Weakness
CVE CWE: [19|https://cwe.mitre.org/data/definitions/19.html]
Description from CVE
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Explanation
“Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.”
Reference: [http://www.bouncycastle.org/releasenotes.html]
Detection
The application is vulnerable by using this component with static Elliptic curve Diffie–Hellman (ECDH) ciphersuites enabled.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Categories
Functional
Root Cause
Nat256.class : [1.53,1.56)
Nat224.class : [1.53,1.56)
Nat128.class : [1.53,1.56)
Nat192.class : [1.53,1.56)
Nat160.class : [1.53,1.56)
Advisories
Project: [http://www.bouncycastle.org/releasenotes.html]
[Cl|http://vw-aus-bpm-bl06.bmc.com:8070/rest/report/RemedyIST-R/2569778660b34b6cb559f110074e2811/browseReport/index.html]
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
> --------------------------------------------------------------------------------------------------------------------
>
> Key: TIKA-2699
> URL: https://issues.apache.org/jira/browse/TIKA-2699
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.17, 1.18
> Reporter: Abhijit Rajwade
> Priority: Major
> Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)