Bug 63954 - Security : Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)
Summary: Security : Weak Encryption: Insecure Mode of Operation (Security Features, Se...
Status: RESOLVED INVALID
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: 4.1.1-FINAL
Hardware: PC All
: P2 critical (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-22 13:57 UTC by Sreekanth Basani
Modified: 2019-11-22 15:02 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sreekanth Basani 2019-11-22 13:57:52 UTC
Fortify Report on POI source code identifies the following vulnerability:

Category: Weak Encryption: Insecure Mode of Operation (Security Features, Semantic)

The function getCipher() in CryptoFunctions.java uses a cryptographic encryption algorithm with an insecure mode of operation on line 239 & 241:

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding, "BC");

cipher = Cipher.getInstance(cipherAlgorithm.jceId + "/" + chain.jceId + "/" + padding);
Comment 1 Andreas Beeker 2019-11-22 14:03:25 UTC
Ok ... noted. The cipher handling is described in the MS-OOFCRYPTO Spec - we won't change it too something current, as our goal is to read old encrypted documents too.


[MS-OFFCRYPTO]:
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/3c34d72a-1a61-4b52-a893-196f9157f083?redirectedfrom=MSDN
Comment 2 PJ Fanning 2019-11-22 15:02:42 UTC
Hi Sreekanth - if you find any or potential security issue, could you follow the guidelines on https://www.apache.org/security/ ?