[Owasp-board] Crypto and the "ESAPI for Java" release 2.1.0

Kevin W. Wall kevin.w.wall at gmail.com
Thu Sep 5 02:19:04 UTC 2013

On Tue, Sep 3, 2013 at 4:56 AM, Jim Manico <jim.manico at owasp.org> wrote:
> ESAPI-Java community,
> Just to be clear, the following release was due to a crypto bug in
> ESAPI for Java. This is a significant issue. If you are currently
> depending on the default ESAPI crypto configuration settings,
> then we recommend that you upgrade, decrypt your data, and re-encrypt with
> with ESAPI 2.1.0.

An update on this email thread...

We have a CVE identifier for Google Issue #306.

If you've read the release notes from the recent ESAPI 2.1.0 release,
you are aware that the vulnerability (well, technically, an "exposure"
in the Mitre CVE sense of the word) in the ESAPI 2.0 symmetric encryption
is what prompted that release as Jim mentioned. That crypto bug is
documented in great detail in Google Issue #306

We now have a CVE Identifier that we are going to use to get this
properly documented where it can be more easily tracked by software.

The CVE ID assigned to us is: CVE-2013-5679.

More details to follow as things progress.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Owasp-board mailing list