arjankowski
commented
10 months ago Hi @ittzik , We know about the CVE vulnerabilities but we cannot upgrade those versions.
We have customers who rely on FIPS (Federal Information Processing Standards) certification. There are few version of Bouncycastle implementations that are FIPS 140-2 certified and they work with older versions of bcprov-jdk15on and bcpkix-jdk15on for Java 11 this will be 1.57.
If you need newer Bouncycastle libraries I recommend excluding them from our SDK and providing them yourself as you have this described here https://github.com/box/box-java-sdk?tab=readme-ov-file#fips-140-2-compliance
apupier
stale[bot]
Description of the Issue version used is < 1.60 and is vulnerable. See https://nvd.nist.gov/vuln/detail/CVE-2018-1000613 , from looking at https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on, looks like the minimal non-vulnerable version is 1.74 at the moment (1.77 is the latest)
Please upgrade to version 1.60 or higher.
Versions Used Java SDK: 4.6.1 Java: openjdk version "17"
Steps to Reproduce N/A
Error Message, Including Stack Trace N/A