Veracode Vulnerabilities in ASPOSE

Aspose.Total Product Family
1

RxCrossroads have been using ASPOSE DLL in number of applications. We did Veracode scan of our applications using the older version of the ASPOSE and we found number of Veracode issues. When we contacted ASPOSE, we were told that the latest version of the ASPOSE does not have those vulnerabilities. Subsequently, we procured the latest version of ASPOSE and also procured premier support license (license Order ID: 160718174414). However, when we rescanned our applications after integrating the latest version, we are still seeing numerous Veracode issues. Due to these issues are not able to move the application to CVS data center. Please find attached the list of issues and sample code snippet. We need urgent resolution of these issues. Our team has been posting the issues in ASPOSE forum since last week. However, we are not getting timely response despite having premium support license. We need urgent attention from ASPOSE to get the issues resolved. We are willing to upgrade our support license if needed.

2

Hi Mazibur,


Thank you for contacting support. Please note, we need complete details for each use case like sample document, code example or sample application project and description of the problem. Based on the first row of your provided Excel sheet, we can notice a problem of insufficient entropy in your assembly ESignatureConsole.exe with description as below:

Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().

If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.

The above description does not help us to replicate the problem on our side. We require complete sample project of your assembly ESignatureConsole.exe. You may prepare simple projects and provide its zip along with each problem. Please also list down all steps to replicate this error on our side. We’ll investigate and reply you appropriately.
mansary@rxcrossroads.com:
However, we are not getting timely response despite having premium support license.
You are posting in the Normal Support Forum. It comes under the free support model. You might have another premium account with Enterprise or Priority support. Please login the premium account, and then post in the appropriate forum. The premium account shows an icon (Enterprise or Priority) in the left side of your post. You can see the list of forums by navigating to this URL: https://forum.aspose.com. We recommend our clients to post each their urgent problem in the Enterprise or Priority forum.

3

Thanks for your response. I believe, the issue has to be fixed in ASPOSE DLL. We encountered similar issues in our code and we have rectified those issues.





The spread sheet that is provided explains the code where the issues are present since you have the code we cannot find the code snippets for you.

2) If any help is required on how to resolve the issues we can have any call where we can explain the issues.

3) Below is the example how we have resolved the issue at our end.





///

/// Generate a random integer to use as a salt value.

///

///

public static int GenerateRandomSalt()

{

// generate a random number of at least 6 digits, up to the int max

//var rand = new Random();

//return rand.Next(100000, int.MaxValue);



// <CWEID=331> < IssueID=81>< Hub Services(Front End ) Policy Scan> <[2016-08-08] ><Cryptography Issue - RNGCryptoServiceProvider Implemented>

RNGCryptoServiceProvider random= new RNGCryptoServiceProvider();

int max = int.MaxValue;

int min = 100000;

byte[] b = new byte[sizeof(UInt32)];

random.GetBytes(b);

double d = BitConverter.ToUInt32(b, 0) / (double)UInt32.MaxValue;

return min + (int)((max - min) * d);





}







We need the remediated Product ASAP. Otherwise, our security team will not allow using ASPOSE in any of our applications and we have to cancel our license as well as Premier Support agreement that we have with ASPOSE now. I would appreciate your prompt Response.

4

Hi Mazibur,


Thank you for the details. In order to realize and then fix an issue, we need to reproduce this issue at our end and then using the same information our product team also need to reproduce the same issue at their end. This way we’re able to investigate, fix, and verify the issue.

Anyways, we’re communicating with our product teams with your provided solution and details. This may help them to rectify the root cause. We’ll get back to you soon.

5

Hi Mazibur,


Thank you for being patient. Our product team has implemented a security fix in Aspose.Cells API. Please use the latest Hotfix version Aspose.Cells for .NET v16.10.2.0 and let us know how that goes on your side.

6

Hi Mazibur,


Thank you for contacting support. In reference to the Aspose.Words API, we have logged an investigation under ticket ID: WORDSNET-14349. We’ll let you know once a significant progress has been made in this regard.

Meanwhile, did you check the latest Hotfix version Aspose.Cells for .NET v16.10.2.0 in your working environment? Please let us know how that goes on your side.

7

Thanks Imran for the update. We have downloaded the latest version of the DLL,integrated with our applications and submitted for re-scanning. We will revert if we find any issues in the re-scan. In the meantime, I would appreciate if you fix the issues in ASPOSE Words and ASPOSE pdf and share the updated version. We are in a time crunch situation and we are holding up our multiple applications from Going Live pending remediation of these issues. We will greatly appreciate your help.


Wassalam,
Mazibur
8

Hi Mazibur,


Thank you for the details. In reference to the Aspose.Words API, we have logged an investigation under ticket ID WORDSNET-14349. We’re also in communication with our Aspose.Pdf product team. We’ll let you know once significant progress has been made in this regard.

9

Hi Mazibur,


In reference to the Aspose.Pdf API, we have logged a ticket as PDFNET-41660 in our bug tracking system. We have also linked it to this forum thread. We’ll let you know once a significant progress has been made in this regard. We’re sorry for the inconvenience caused.

10

The issues you have found earlier (filed as WORDSNET-14349) have been fixed in this Aspose.Words for .NET 17.5 update and this Aspose.Words for Java 17.5 update.

This message was posted using Notification2Forum from Downloads module by aspose.notifier.