[BUG] SECURITY: hertzbeat uses bouncycastle jars that have multiple CVEs

[pjfanning]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

BouncyCastle no longer ship jdk15on jars. Projects should use the jdk18on ones instead.
The jdk15on jars were for Java 1.5 users and fixes that have been made to the jdk18on jars (Java 1.8 compatible) have not been backported - including security fixes.

The last Hertzbeat RC had bcprov-jdk15on-1.69.jar

• https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.69
• https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on (1.81 current latest)

The classe names and packages are the same.

Expected Behavior

No response

Steps To Reproduce

No response

Environment

HertzBeat version(s):

Debug logs

No response

Anything else?

No response

[tomsun28]

Got it thanks.

[gns34]

I would like to try this. Can assign to me please?

[MadhuriRathod30]

Hi @pjfanning , can you please assign this to me?

[pjfanning]

Hi @pjfanning , can you please assign this to me?

I don't have this access.

[MadhuriRathod30]

Hi @tomsun28 , can you please assign this to me ?

[tomsun28]

hi @MadhuriRathod30 welcome, this has assigned to you.

hi @gns34 sorry for that. Lady first. If you have any other task want to try, please @ me.

[gns34]

Sure, No Problem

[MadhuriRathod30]

Hi @tomsun28 thank you.