[Esapi-user] Crypto and the "ESAPI for Java" release 2.1.0

Chris Schmidt chris.schmidt at owasp.org
Thu Sep 5 16:06:21 UTC 2013


Further Update:

Philippe has posted this blog about the issue:
http://blog.h3xstream.com/2013/08/esapi-when-authenticated-encryption.html


On 9/4/13 8:19 PM, Kevin W. Wall wrote:
> On Tue, Sep 3, 2013 at 4:56 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> ESAPI-Java community,
>>
>> Just to be clear, the following release was due to a crypto bug in
>> ESAPI for Java. This is a significant issue. If you are currently
>> depending on the default ESAPI crypto configuration settings,
>> then we recommend that you upgrade, decrypt your data, and re-encrypt with
>> with ESAPI 2.1.0.
> An update on this email thread...
>
> We have a CVE identifier for Google Issue #306.
>
> If you've read the release notes from the recent ESAPI 2.1.0 release,
> you are aware that the vulnerability (well, technically, an "exposure"
> in the Mitre CVE sense of the word) in the ESAPI 2.0 symmetric encryption
> is what prompted that release as Jim mentioned. That crypto bug is
> documented in great detail in Google Issue #306
> (http://code.google.com/p/owasp-esapi-java/issues/detail?id=306).
>
> We now have a CVE Identifier that we are going to use to get this
> properly documented where it can be more easily tracked by software.
>
> The CVE ID assigned to us is: CVE-2013-5679.
>
> More details to follow as things progress.
>
> -kevin



More information about the Esapi-user mailing list