Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade "bcprov-jdk15on" to version 1.61 or higher to get rid of security vulnerability [CVE-2018-1000613, CWE-502], [CVE-2020-26939, CWE-200], [CVE-2018-1000180, CWE-573], [CVE-2020-15522, CWE-208] #11

Closed
aaron-kumar opened this issue Jul 8, 2021 · 5 comments
Closed

Upgrade "bcprov-jdk15on" to version 1.61 or higher to get rid of security vulnerability [CVE-2018-1000613, CWE-502], [CVE-2020-26939, CWE-200], [CVE-2018-1000180, CWE-573], [CVE-2020-15522, CWE-208] #11

aaron-kumar opened this issue Jul 8, 2021 · 5 comments
Assignees
@aaron-kumar
Labels
enhancement New feature or request
Milestone
5.x.x

Comments

@aaron-kumar
Copy link
Member

aaron-kumar commented Jul 8, 2021
edited
Loading

SAST tool reported vulnerability for library : bcprov-jdk15on

network.oxalis:[email protected]
---org.bouncycastle:[email protected]
------org.bouncycastle:[email protected]

network.oxalis:[email protected]
---network.oxalis:[email protected]
------org.bouncycastle:[email protected]
---------org.bouncycastle:[email protected]

network.oxalis:[email protected]
---network.oxalis.vefa:[email protected]
------network.oxalis.vefa:[email protected]
---------no.difi.commons:[email protected]
------------net.klakegg.pkix:[email protected]
---------------org.bouncycastle:[email protected]
------------------org.bouncycastle:[email protected]

network.oxalis:[email protected]
---org.bouncycastle:[email protected]

Library "org.bouncycastle:bcprov-jdk15on" need to upgrade to version 1.61 or higher

Subtask of OxalisCommunity/Oxalis-internal-roadmap#13
@aaron-kumar
Copy link
Member Author

Fixed in Oxalis with commit: fc22da14415882e5772dcb74fdc1d6609b74b137 (Oxalis-AS4 use provided version of Oxalis)

johnksv referenced this issue in OxalisCommunity/oxalis Sep 7, 2021
@aaron-kumar
Merge pull request #537 from OxalisCommunity/dependabot/maven/org.bou…
fc22da1 
…ncycastle-bcprov-jdk15on-1.67

Bump bcprov-jdk15on from 1.57 to 1.67
@johnksv
Copy link

johnksv commented Sep 8, 2021
edited
Loading

Hi! Added this comment to the commit. Adding it here as well:

Just a heads up.
I think this bump breaks net.klakegg.pkix:[email protected], and thus detection of Mode (TEST/ PRODUCTION) based on certificate (network.oxalis.vefa.peppol.security.ModeDetector).
To fix this we require a new version of pkix-ocsp. I have created this PR: klakegg/pkix-ocsp#4 , and validated that pinning
pkix-ocsp to 0.9.2-SNAPSHOT indeed solves the problem. Even though it can be solved by pinning the version explicit in the pom, it should be fixed through the transitive dependencies.

Before:

network.oxalis:[email protected]
---network.oxalis.vefa:[email protected]
------network.oxalis.vefa:[email protected]
---------no.difi.commons:[email protected]
------------net.klakegg.pkix:[email protected]
---------------org.bouncycastle:[email protected]
------------------org.bouncycastle:[email protected]

cc @aaron-kumar

@aaron-kumar
Copy link
Member Author

That's good catch @johnksv
Even though it should have been caught during release testing and fixed by explicitly using bumped up version but good that you are fixing it right place.
Thanks a lot for contribution !!!

@aaron-kumar aaron-kumar reopened this Dec 8, 2021
@aaron-kumar
Copy link
Member Author

Reopening until fix will also be available in dependency (klakegg/pkix-ocsp#4) release version

@aaron-kumar aaron-kumar transferred this issue from OxalisCommunity/oxalis May 7, 2022
@aaron-kumar aaron-kumar added Support Task to Support feature and removed Size/L Pri/H Issue Security labels May 7, 2022
@aaron-kumar aaron-kumar self-assigned this Aug 2, 2022
@aaron-kumar aaron-kumar added enhancement New feature or request and removed JDK version and library version upgrades Support Task to Support feature labels Aug 2, 2022
@aaron-kumar aaron-kumar moved this from Open Issues- Review Required to Q3 2022 – Jul-Sep in Oxalis Public Roadmap Aug 2, 2022
@aaron-kumar aaron-kumar added this to the 5.x.x milestone Aug 2, 2022
@aaron-kumar
Copy link
Member Author

Fixed with Oxalis release: v5.4.0 and Oxalis-AS4 release: v5.4.0

Repository owner moved this from Q3 2022 – Jul-Sep to Q2 2022 – Apr-Jun in Oxalis Public Roadmap Aug 2, 2022
@aaron-kumar aaron-kumar moved this from Q2 2022 – Apr-Jun to Completed in Oxalis Public Roadmap Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aaron-kumar aaron-kumar

Labels
enhancement New feature or request
Projects
Oxalis Public Roadmap
Status: Completed
Milestone
5.x.x
Development

No branches or pull requests
2 participants
@aaron-kumar @johnksv