[Bug 63954] New: Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63954] New: Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63954

            Bug ID: 63954
           Summary: Security : Weak Encryption: Insecure Mode of Operation
                    (Security Features, Semantic)
           Product: POI
           Version: 4.1.1-FINAL
          Hardware: PC
            Status: NEW
          Severity: critical
          Priority: P2
         Component: POI Overall
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Fortify Report on POI source code identifies the following vulnerability:

Category: Weak Encryption: Insecure Mode of Operation (Security Features,
Semantic)

The function getCipher() in CryptoFunctions.java uses a cryptographic
encryption algorithm with an insecure mode of operation on line 239 & 241:

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" +
padding, "BC");

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" +
padding);

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63954] Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63954

Andreas Beeker <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Andreas Beeker <[hidden email]> ---
Ok ... noted. The cipher handling is described in the MS-OOFCRYPTO Spec - we
won't change it too something current, as our goal is to read old encrypted
documents too.


[MS-OFFCRYPTO]:
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/3c34d72a-1a61-4b52-a893-196f9157f083?redirectedfrom=MSDN

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63954] Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63954

--- Comment #2 from PJ Fanning <[hidden email]> ---
Hi Sreekanth - if you find any or potential security issue, could you follow
the guidelines on https://www.apache.org/security/ ?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]