Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.17
-
None
-
None
Description
Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 (tika-app-1.17.jar) is vulnerable.
Here are the details of CVE-2016-1000341.
Explanation
BouncyCastle is vulnerable to a Timing Attack. The generateSignature() function in the DSASigner.java file allows the per message key (the k value in the DSA algorithm) to be predictable while generating DSA signatures. A remote attacker can exploit this vulnerability to determine the k value by closely observing the timings for the generation of signatures, allowing the attacker to deduce the signer?s private key.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Categories
Data
Root Cause
tika-app-1.17.jar <= DSASigner.class : (, 1.56)
tika-app-1.17.jar <= DSASigner.class : (,1.56)
Advisories
Third Party: https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...
Project: https://www.bouncycastle.org/releasenotes.html
Resolution
Refer https://www.bouncycastle.org/releasenotes.html
You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
— Abhijit Rajwade