Bug 63954

Summary: Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)
Product: POI Reporter: Sreekanth Basani <sreekanthbasani>
Component: POI OverallAssignee: POI Developers List <dev>
Status: RESOLVED INVALID    
Severity: critical    
Priority: P2    
Version: 4.1.1-FINAL   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Sreekanth Basani 2019-11-22 13:57:52 UTC 
Fortify Report on POI source code identifies the following vulnerability:

Category: Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

The function getCipher() in CryptoFunctions.java uses a cryptographic encryption algorithm with an insecure mode of operation on line 239 & 241:

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding, "BC");

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding);
Comment 1 Andreas Beeker 2019-11-22 14:03:25 UTC 
Ok ... noted. The cipher handling is described in the MS-OOFCRYPTO Spec - we won't change it too something current, as our goal is to read old encrypted documents too.


[MS-OFFCRYPTO]:
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/3c34d72a-1a61-4b52-a893-196f9157f083?redirectedfrom=MSDN
Comment 2 PJ Fanning 2019-11-22 15:02:42 UTC 
Hi Sreekanth - if you find any or potential security issue, could you follow the guidelines on https://www.apache.org/security/ ?