Bounty Castle FIPS 1.0.23 CVE

Hi,

While performing security evaluation for Aspose Words Java Library version 23.3-jdk17. We detected CVE-2022-45146 for bountycastle-fips 1.0.23, This is a dependency for 23.3.-jdk17. The issue is fixed in 1.0.24. Is there are patch released for fixing this vulnerability. Please find attached the CVE detected in black duck.

This is a blocker for us to go ahead with license purchase.

Regards,
Anit

@nairanit25
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): WORDSJAVA-2812

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

Please note, Bouncy Castle FIPS library 1.0.2.4 version still not released officially, and link to downloading of hotfix is not working.
Aspose.Words for Java developed for Java 8 and this vulnerable does not apply in that case.
Only with Java 13 and later that problem can appear.

Hi @alexey.noskov,

Thanks for the taking this up. We are currently running on Java 11.
W.r.t to support, we are in process of purchasing the “Site OEM license with support”. I believe the license includes the paid support you mention. Can you help reach out the Product License team for queries on the licensing part.

Anit

@nairanit25 You can contact our sales team in Aspose.Purchase forum regarding license purchase questions. My colleagues will help you shortly.

Hi @alexey.noskov,

Is there any update on fix for the vulnerability for Java 13 and upwards.

Regards
Anit

@nairanit25 The issue is postponed until Bouncy Castle 1.0.2.4 release is available to update our library.

Hi @alexey.noskov,

The Bouncy Castle 1.0.24 binary is now available for download.
https://downloads.bouncycastle.org/fips-java/bc-noncert-1.0.2.4.jar

Regards,
Anit

@nairanit25 Thank you for information. I have notified the development team, they will check this.

Hi @nairanit25

I checked this links during the analysis of WORDSJAVA-2812 Issue
[bc-noncert-1.0.2.4.jar]https://downloads.bouncycastle.org/fips-java/bc-noncert-1.0.2.4.jar
[bc-noncert-1.0.2.4-sources.jar]https://downloads.bouncycastle.org/fips-java/bc-noncert-1.0.2.4-sources.jar
Both of them not working on my side.

If this links work on your side, can you please send bc-noncert-1.0.2.4-sources.jar for us?
It can help us to updating our sources and generating bc-fips for next Aspose.Words for Java release

Regards
Anatoly

bc-noncert-1.0.2.4.zip (3.1 MB)
Attached is zip file containing the bc-nocert-1.0.2.4.jar

1 Like

Hi @nairanit25

Thanks for bc-nocert-1.0.2.4.jar
I added a new version to our sources and rebuilt Aspose Words for Java
I will include this fix in the next Aspose Words 23.6 release

Thanks @anatoly.sidorenko,

Can you let me know when is the 23.6 release expected.

Regards
Anit

@nairanit25 Unfortunately, there is no exact release date. 23.6 version of Aspose.Words for .NET will be released in the very beginning of June 2023. Java version is usually released in 7-10 days after .NET version. So it will be availabe in the first half of June 2023. We will be sure to let you know once it is released.

1 Like

@alexey.noskov are there any updates on the latest Java release with the fix.

@nairanit25 We are currently working on the 23.6 released of Aspose.Words for Java. I suppose it will be released within this week.

The issues you have found earlier (filed as WORDSJAVA-2812) have been fixed in this Aspose.Words for Java 23.6 update.

1 Like