[
https://issues.apache.org/jira/browse/CONNECTORS-1012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Wright updated CONNECTORS-1012:
------------------------------------
Component/s: (was: Lucene/SOLR connector)
Tika extractor
> Upgrade Apache POI to correct multiple security issues
> ------------------------------------------------------
>
> Key: CONNECTORS-1012
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1012
> Project: ManifoldCF
> Issue Type: Task
> Components: Tika extractor
> Affects Versions: ManifoldCF 1.7
> Reporter: Karl Wright
> Assignee: Karl Wright
> Priority: Blocker
> Fix For: ManifoldCF 1.7
>
>
> = CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's OpenXML
> parser =
> Type: Information disclosure
> Description: Apache POI uses Java's XML components to parse OpenXML files
> produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications
> that accept such files from end-users are vulnerable to XML External Entity
> (XXE) attacks, which allows remote attackers to bypass security restrictions
> and read arbitrary files via a crafted OpenXML document that provides an XML
> external entity declaration in conjunction with an entity reference.
> = CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's OpenXML
> parser =
> Type: Denial of service
> Description: Apache POI uses Java's XML components and Apache Xmlbeans to
> parse OpenXML files produced by Microsoft Office products (DOCX, XLSX,
> PPTX,...). Applications that accept such files from end-users are vulnerable
> to XML Entity Expansion (XEE) attacks ("XML bombs"), which allows remote
> hackers to consume large amounts of CPU resources.
> The Apache POI PMC released a bugfix version (3.10.1) today.
> Here is the Lucene/Solr recommended course of action (which we will have to
> map to MCF):
> {code}
> - Delete the following files in your "solr-4.X.X/contrib/extraction/lib"
> folder:
> # poi-3.10-beta2.jar
> # poi-ooxml-3.10-beta2.jar
> # poi-ooxml-schemas-3.10-beta2.jar
> # poi-scratchpad-3.10-beta2.jar
> # xmlbeans-2.3.0.jar
> - Copy the following files from the base folder of the Apache POI
> distribution to the "solr-4.X.X/contrib/extraction/lib" folder:
> # poi-3.10.1-20140818.jar
> # poi-ooxml-3.10.1-20140818.jar
> # poi-ooxml-schemas-3.10.1-20140818.jar
> # poi-scratchpad-3.10.1-20140818.jar
> - Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the
> "solr-4.X.X/contrib/extraction/lib" folder.
> - Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any
> files with version number "3.10-beta2".
> {code}
> I will research whether all of these jars exist in Maven at this time; if
> they do, we should fix this problem in MCF 1.7.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
