CVE-2023-33201 is caused by obsolete versions of bouncy-castle used in box-java-sdk #1235
Description
Box Java SDK is affected by https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33201.
It comes from these dependencies:
- https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on/1.70
- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.70
The fixes are in these artifacts:
- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on/1.77
- https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk18on/1.77
Note the change to the artifact IDs. The bouncy-castle release notes say this is merely a change to jar packaging, and requiring a minimum of Java 8 instead of 1.5. There are no changes to the source code.
In our project we did this:
gradle.properties:
bouncyCastleVersion=1.77
build.gradle dependencies:
implementation "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}"
implementation "org.bouncycastle:bcprov-jdk18on:${bouncyCastleVersion}"
build.gradle dependency resolution:
exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on'
exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
force "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}"
force "org.bouncycastle:bcprov-jdk18on:${bouncyCastleVersion}"
All of the tests that call box-java-sdk passed, and the CVE is gone.
But it would be nice not to have to do that, and instead upgrade box-java-sdk to use the latest bouncy-castle.