bcprov-jdk15on and bcprov-ext-jdk15on 1.69 sonatype-2019-0673 vulnerability

[amahfouz1]

Describe the bug
Based on SONATYPE-2019-0673, there is no upgrade path for this dependency. Is there any alternative option or a workaround to address this vulnerability? Thanks!

Vulnerability
Issue
sonatype-2019-0673
Severity
Sonatype CVSS 3: 3.7
CVE CVSS 2.0: 0.0
Weakness
Sonatype CWE: [400](https://cwe.mitre.org/data/definitions/400.html)
Source
Sonatype Data Research
Categories
Data
Description
Explanation
Bouncy Castle is vulnerable to Denial of Service (DoS). The Dump.class file utilises FileInputStreams objects when reading from user-provided files, but fails to close these streams properly. This can lead to resource leaks, potentially enabling an attacker to exhaust resources by providing a crafted file as an input to the application, thereby triggering a DoS condition.

Detection
The application is vulnerable by using this component.

Recommendation
There is no non-vulnerable upgrade path for this component. We recommend investigating alternative components or potential mitigating control.

Root Cause
bugvm-dist-1.0.8.tar.gz <= bugvm-1.0.8/lib/bugvm-dist-compiler.jar <= org/bouncycastle/asn1/util/Dump.class : [1.46, )
Advisories
Project: https://github.com/bcgit/bc-java/issues/634
CVSS Details
Sonatype CVSS 3: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

https://cwe.mitre.org/data/definitions/400.html

Client Version
14.0.1

[brendandburns]

That link appears to be salesforce-only? Do you have an external link to that vulnerability report?

Also this appears to be referencing bouncy-castle 1.69, but we have already updated to 1.70:
#2021

[amahfouz1]

@brendandburns sorry I didn't notice the wrong link. I added the vulnerability description.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.