[ https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563437#comment-16563437 ]
Abhijit Rajwade edited comment on TIKA-2699 at 7/31/18 10:26 AM: ----------------------------------------------------------------- CVE-2016-1000340 info Issue [CVE-2016-1000340|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000340] Source National Vulnerability Database Severity CVE CVSS 3.0: 7.5 CVE CVSS 2.0: 5.0 Sonatype CVSS 3.0: 4.8 Weakness CVE CWE: [19|https://cwe.mitre.org/data/definitions/19.html] Description from CVE In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers. Explanation “Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.” Reference: [http://www.bouncycastle.org/releasenotes.html] Detection The application is vulnerable by using this component with static Elliptic curve Diffie–Hellman (ECDH) ciphersuites enabled. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Functional Root Cause Nat256.class : [1.53,1.56) Nat224.class : [1.53,1.56) Nat128.class : [1.53,1.56) Nat192.class : [1.53,1.56) Nat160.class : [1.53,1.56) Advisories Project: [http://www.bouncycastle.org/releasenotes.html] was (Author: arajwade): CVE-2016-1000340 info Issue [CVE-2016-1000340|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000340] Source National Vulnerability Database Severity CVE CVSS 3.0: 7.5 CVE CVSS 2.0: 5.0 Sonatype CVSS 3.0: 4.8 Weakness CVE CWE: [19|https://cwe.mitre.org/data/definitions/19.html] Description from CVE In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers. Explanation “Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.” Reference: [http://www.bouncycastle.org/releasenotes.html] Detection The application is vulnerable by using this component with static Elliptic curve Diffie–Hellman (ECDH) ciphersuites enabled. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Functional Root Cause Nat256.class : [1.53,1.56) Nat224.class : [1.53,1.56) Nat128.class : [1.53,1.56) Nat192.class : [1.53,1.56) Nat160.class : [1.53,1.56) Advisories Project: [http://www.bouncycastle.org/releasenotes.html] [Cl|http://vw-aus-bpm-bl06.bmc.com:8070/rest/report/RemedyIST-R/2569778660b34b6cb559f110074e2811/browseReport/index.html] > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika > -------------------------------------------------------------------------------------------------------------------- > > Key: TIKA-2699 > URL: https://issues.apache.org/jira/browse/TIKA-2699 > Project: Tika > Issue Type: Bug > Affects Versions: 1.17, 1.18 > Reporter: Abhijit Rajwade > Priority: Major > Labels: security > > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika. > Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352 > The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 > or later (1.58, 1.59, 1.60). > Can you please upgrade Bouncy castle to a non vulnerable version? -- This message was sent by Atlassian JIRA (v7.6.3#76005)