[ https://issues.apache.org/jira/browse/CXF-7757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16509390#comment-16509390 ]
Colm O hEigeartaigh commented on CXF-7757: ------------------------------------------ CXF actually includes BouncyCastle 1.59 as a provided dependency in cxf-rt-ws-security, so it is not vulnerable. I did a maven dependency:tree on the CXF source and BouncyCastle 1.54 does not appear anywhere in the list of dependencies. I think you should file a bug report with OpenSAML to upgrade the Cryptacular dependency instead, and then we could pick up the OpenSAML update in CXF. > Upgrade bouncycastle dependency to fix vulnerability > ---------------------------------------------------- > > Key: CXF-7757 > URL: https://issues.apache.org/jira/browse/CXF-7757 > Project: CXF > Issue Type: Improvement > Affects Versions: 3.2.4 > Reporter: Dominique Jacques-Brissette > Assignee: Colm O hEigeartaigh > Priority: Major > > Apache CXF has a dependency on org.bouncycastle:bcprov-jdk15on@1.54 which has > a vulnerability known as CVE-2016-1000338 > (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338) > We discovered it in our projects via Snyk > https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340 > The whole dependency chain is as follows > org.apache.cxf:cxf-rt-ws-security@3.2.4 > > org.apache.wss4j:wss4j-ws-security-policy-stax@2.2.1 > > org.apache.wss4j:wss4j-ws-security-stax@2.2.1 > > org.apache.wss4j:wss4j-ws-security-common@2.2.1 > > org.opensaml:opensaml-xacml-saml-impl@3.3.0 > > org.opensaml:opensaml-saml-impl@3.3.0 > org.opensaml:opensaml-soap-impl@3.3.0 > > org.opensaml:opensaml-soap-api@3.3.0 > > org.opensaml:opensaml-xmlsec-api@3.3.0 > > org.opensaml:opensaml-security-api@3.3.0 > org.cryptacular:cryptacular@1.1.1 > > *org.bouncycastle:bcprov-jdk15on@1.54* > For example, if the transitive dependency cryptacular was at 1.2.2, > then org.bouncycastle:bcprov-jdk15on@1.59 would be used and the > vulnerability would be patched. -- This message was sent by Atlassian JIRA (v7.6.3#76005)