Bug #19211
closed
Some java dependencies have security warning and should be updated
Added by François ARMAND over 3 years ago.
Updated over 1 year ago.
Category:
Architecture - Dependencies
Description
We have some dependencies that yields security warnings. Even if none are impacting us critically, we should update dependencies:
- bcprov-jdk15on-1.65.jar
- commons-io-2.6.jar
- postgresql-42.2.12.jar
- spring-*-5.2.5.RELEASE.jar
- spring-security-*-5.3.1.RELEASE.jar
- Status changed from New to In progress
- Assignee set to François ARMAND
- Private changed from No to Yes
In particular CVE-2020-28052 in Bouncy Castle makes the local (bcrypt-based) user authentication vulnerable to brute force.
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
An attacker must brute-force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input.
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/3611
- Status changed from Pending technical review to Pending release
- Fix check changed from To do to Checked
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.13 and 6.2.7 which were released today.
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by