box-java-sdk icon indicating copy to clipboard operation
box-java-sdk copied to clipboard
verified publisher icon box

Vulnerable bouncy castle jars used

Open Manunarur opened this issue 3 years ago • 1 comments

Description of the Issue

Box sdk 3.2.0 has a dependency on vulnerable versions of Bouncy castle jars. Following jars are flagged by security scans as vulnerable jars affected by CVE-2020-26939 and CVE-2020-15522 Can you please help review the impact of these cve's and upgrade bouncy jars in the sdk.

bouncycastle bcprov-jdk15on v1.57 Maven: org.bouncycastle:bcprov-jdk15on:1.57 bouncycastle bcpkix-jdk15on v1.57 Maven: org.bouncycastle:bcpkix-jdk15on:1.57

Versions Used

Box sdk 3.2.0

Manunarur avatar May 24 '22 19:05 Manunarur

Hello @Manunarur, We know about the CVE vulnerabilities but we cannot upgrade those versions. We have customers who rely on FIPS (Federal Information Processing Standards) certification. There are few version of Bouncycastle implementations that are FIPS 140-2 certified (https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3514) and they work with older versions of bcprov-jdk15on and bcpkix-jdk15on for Java 11 this will be 1.57.

If you need newer Bouncycastle libraries I recommend excluding them from our SDK and providing them yourself

implementation('com.box:box-java-sdk:3.2.0') {
  exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
  exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on'
}
runtimeOnly('org.bouncycastle:bcprov-jdk15on:1.70')
runtimeOnly('org.bouncycastle:bcpkix-jdk15on:1.70')

antusus avatar May 25 '22 13:05 antusus

Closing due to inactivity

antusus avatar Sep 19 '22 09:09 antusus