63954 – Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

Bug 63954 - Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

Summary: Security : Weak Encryption: Insecure Mode of Operation (Security Features, Se...

Status:	RESOLVED INVALID

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	POI Overall (show other bugs)
Version:	4.1.1-FINAL
Hardware:	PC All

Importance:	P2 critical (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-11-22 13:57 UTC by Sreekanth Basani
Modified:	2019-11-22 15:02 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sreekanth Basani 2019-11-22 13:57:52 UTC

Fortify Report on POI source code identifies the following vulnerability:

Category: Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

The function getCipher() in CryptoFunctions.java uses a cryptographic encryption algorithm with an insecure mode of operation on line 239 & 241:

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding, "BC");

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding);

Comment 1 Andreas Beeker 2019-11-22 14:03:25 UTC

Ok ... noted. The cipher handling is described in the MS-OOFCRYPTO Spec - we won't change it too something current, as our goal is to read old encrypted documents too.


[MS-OFFCRYPTO]:
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/3c34d72a-1a61-4b52-a893-196f9157f083?redirectedfrom=MSDN

Comment 2 PJ Fanning 2019-11-22 15:02:42 UTC

Hi Sreekanth - if you find any or potential security issue, could you follow the guidelines on https://www.apache.org/security/ ?