Fortify Report on POI source code identifies the following vulnerability: Category: Weak Encryption: Insecure Mode of Operation (Security Features, Semantic) The function getCipher() in CryptoFunctions.java uses a cryptographic encryption algorithm with an insecure mode of operation on line 239 & 241: cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding, "BC"); cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding);
Ok ... noted. The cipher handling is described in the MS-OOFCRYPTO Spec - we won't change it too something current, as our goal is to read old encrypted documents too. [MS-OFFCRYPTO]: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/3c34d72a-1a61-4b52-a893-196f9157f083?redirectedfrom=MSDN
Hi Sreekanth - if you find any or potential security issue, could you follow the guidelines on https://www.apache.org/security/ ?