Dependency org.bouncycastle:bcprov-jdk15on, leading to CVE problem

[CVEDetect]

Hi, In msf4j/core，there is a dependency org.bouncycastle:bcprov-jdk15on:1.50 that calls the risk method.

CVE-2015-7940

The scope of this CVE affected version is (,1.51)

After further analysis, in this project, the main Api called is <org.bouncycastle.math.ec.AbstractECMultiplier: org.bouncycastle.math.ec.ECPoint multiply(org.bouncycastle.math.ec.ECPoint,java.math.BigInteger)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.bouncycastle.math.ec.AbstractECMultiplier: org.bouncycastle.math.ec.ECPoint multiply(org.bouncycastle.math.ec.ECPoint,java.math.BigInteger)>
at <org.bouncycastle.math.ec.ECPoint: org.bouncycastle.math.ec.ECPoint multiply(java.math.BigInteger)> (org.bouncycastle.math.ec.ECPoint.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
at <org.bouncycastle.crypto.prng.drbg.DualECSP800DRBG: int generate(byte[],byte[],boolean)> (org.bouncycastle.crypto.prng.drbg.DualECSP800DRBG.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
at <org.bouncycastle.crypto.prng.SP800SecureRandom: void nextBytes(byte[])> (org.bouncycastle.crypto.prng.SP800SecureRandom.java:[-1]) in /.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
at <org.wso2.msf4j.internal.session.SessionIdGenerator: void getRandomBytes(byte[])> (org.wso2.msf4j.internal.session.SessionIdGenerator.java:[126]) in /detect/unzip/msf4j-2.4.0/core/target/classes

Dependency tree--

[INFO] org.wso2.msf4j:msf4j-core:bundle:2.4.0
[INFO] +- org.wso2.carbon.messaging:org.wso2.carbon.messaging:jar:3.0.1:compile
[INFO] |  +- org.wso2.carbon:org.wso2.carbon.launcher:jar:5.2.0:compile
[INFO] |  |  \- org.osgi:org.osgi.core:jar:6.0.0:compile
[INFO] |  \- org.wso2.carbon:org.wso2.carbon.core:jar:5.2.0:compile
[INFO] +- org.wso2.carbon.transport:org.wso2.carbon.transport.http.netty:jar:5.0.1:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.7.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.7.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.7.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.7.Final:compile
[INFO] |  +- io.netty:netty-codec:jar:4.1.7.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.7.Final:compile
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.7.Final:compile
[INFO] |  +- io.netty:netty-resolver:jar:4.1.7.Final:compile
[INFO] |  +- commons-pool.wso2:commons-pool:jar:1.5.6.wso2v1:compile
[INFO] |  |  \- commons-pool:commons-pool:jar:1.5.6:compile
[INFO] |  +- org.wso2.orbit.com.lmax:disruptor:jar:3.3.2.wso2v2:compile
[INFO] |  +- org.wso2.orbit.org.yaml:snakeyaml:jar:1.16.0.wso2v1:compile
[INFO] |  \- javax.websocket:javax.websocket-api:jar:1.1:compile
[INFO] +- org.wso2.eclipse.osgi:org.eclipse.osgi:jar:3.10.2.v20150203-1939:compile
[INFO] +- org.wso2.eclipse.osgi:org.eclipse.osgi.services:jar:3.4.0.v20140312-2051:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.0:compile
[INFO] +- org.wso2.msf4j:jaxrs-delegates:jar:2.4.0:compile
[INFO] |  \- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |     +- org.apache.httpcomponents:httpcore:jar:4.4.4:compile
[INFO] |     \- commons-codec:commons-codec:jar:1.9:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.6.0:compile
[INFO] |  \- log4j:log4j:jar:1.2.14:compile
[INFO] +- com.google.code.gson:gson:jar:2.2.4:compile
[INFO] +- com.google.code.findbugs:jsr305:jar:2.0.1:compile
[INFO] +- org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-beanutils:jar:1.8.3_2:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] +- com.nimbusds:nimbus-jose-jwt:jar:2.25:compile
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] |  +- net.minidev:json-smart:jar:1.1.1:compile
[INFO] |  \- org.bouncycastle:bcprov-jdk15on:jar:1.50:compile
[INFO] +- org.yaml:snakeyaml:jar:1.17:compile
[INFO] +- org.wso2.carbon.config:org.wso2.carbon.config:jar:2.1.2:compile
[INFO] |  +- org.wso2.carbon.secvault:org.wso2.carbon.secvault:jar:5.0.8:compile
[INFO] |  \- org.wso2.carbon.utils:org.wso2.carbon.utils:jar:2.0.2:compile
[INFO] +- commons-io.wso2:commons-io:jar:2.4.0.wso2v1:compile

Suggested solutions:

Update dependency version

Thank you very much.

[CVEDetect]

@wso2-jenkins-bot
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.

[ramindu90]

Hi @CVEDetect,

Yes please do. We will review and merge it

Best Regards,
Ramindu.