[
https://issues.apache.org/jira/browse/TIKA-2499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247714#comment-16247714
]
Abhijit Rajwade commented on TIKA-2499:
---------------------------------------
Sonatype Nexus Audior shows that all current Apache tika versions including
Apache Tika 1.16 are vulnerable.
> Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of
> vulnerable Third party components.
> ----------------------------------------------------------------------------------------------------------
>
> Key: TIKA-2499
> URL: https://issues.apache.org/jira/browse/TIKA-2499
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.13
> Reporter: Abhijit Rajwade
> Labels: Security
>
> Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of
> vulnerable Third party components.
> Sr No Vulnerability ID Description from Nexus Auditor Vulnerable
> Third party component Fixed Third party component
> 1 SONATYPE-2017-0355 Source Sonatype Data Research
> Severity Sonatype CVSS 3.0: 7.5
> Weakness Sonatype CWE: 20
> Explanation
> jackson-core is vulnerable to Denial of Service (DoS). The
> _reportInvalidToken() function in the UTF8StreamJsonParser and
> ReaderBasedJsonParser classes allows large amounts of extraneous data to be
> printed to the server log. An attacker can exploit this vulnerability by
> crafting a POST request containing large amounts of data. When the data
> contains invalid JSON, an exception is thrown, which results in the
> consumption of available disk space when the error message is written to
> server.log along with the request data.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
> Root Cause
> tika-app-1.13.jar <= ReaderBasedJsonParser.class : [2.0.0-RC1, 2.8.6)
> tika-app-1.13.jar <= UTF8StreamJsonParser.class : [2.0.0-RC1, 2.8.6)
> Advisories
> Attack: https://issues.jboss.org/browse/JBEAP-6316
> Project: https://github.com/FasterXML/jackson-core/pull/322
> Jackson
> Fixed version: Jackson 2.8.6 or later
> 2 SONATYPE-2017-0359 Source Sonatype Data Research
> Severity Sonatype CVSS 3.0: 7.5
> Weakness Sonatype CWE: 22
> Explanation
> The Apache httpcomponents component is vulnerable to Directory Traversal. The
> normalizePath() function in the URIBuilder class allows directory traversal
> characters such as ../. An attacker can exploit this vulnerability by sending
> a specially crafted request containing this sequence in the URL path,
> allowing the attacker to traverse beyond the allowed directory and retrieve
> the contents of arbitrary files from the server, leading to information
> disclosure.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
> Root Cause
> tika-app-1.13.jar <= URIBuilder.class : [4.2.1-RC1, 4.5.3)
> Advisories
> Project: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
> Apache httpcomponents
> Fixed Version: Apache httpcomponents 4.5.3 or later
> 3 CVE-2017-12620 Issue CVE-2017-12620
> Source National Vulnerability Database
> Severity Sonatype CVSS 3.0: 7.3
> Weakness Sonatype CWE: 611
> Description from CVE
> When loading models or dictionaries that contain XML it is possible to
> perform an XXE attack, since Apache OpenNLP is a library, this only affects
> applications that load models or dictionaries from untrusted sources. The
> versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache
> OpenNLP are affected.
> Explanation
> Apache OpenNLP is vulnerable to XML External Entity (XXE) attack. The
> constructor in the ConstitParseSampleStream class, createDOM() function in
> the GeneratorFactory class, and the parse() function in the
> IrishSentenceBankDocument and LetsmtDocument classes allows unsafe external
> entities when processing XML data from models and dictionaries. A remote
> attacker can exploit this by submitting specially crafted XML, which can
> potentially lead to Denial of Service, Information Disclosure, or other
> attacks.
> Advisory Deviation Notice
> The Sonatype security research team discovered that the vulnerability is
> present in version 1.5.2-incubating-rc1 until 1.8.2, not in all the versions
> from 1.5.0 till 1.8.2 as the advisory states.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
> Root Cause
> tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <=
> ConstitParseSampleStream.class : [1.5.3-rc1, 1.7.1)
> tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= GeneratorFactory.class :
> [1.5.3-rc1, 1.7.1)
> Advisories
> Project: http://opennlp.apache.org/news/cve-2017-12620.html
> Close
> Apache OpenNLP
> Fixed version: Apache OpenNLP 1.8.2 or later
> 4 SONATYPE-2016-0398 Source Sonatype Data Research
> Severity Sonatype CVSS 3.0: 7.5
> Weakness Sonatype CWE: 22
> Explanation
> Plexus Utils is vulnerable to Directory Traversal. The extractFile() function
> in the Expand class allows directory traversal characters such as ../ via the
> entryName parameter. An attacker can exploit this vulnerability by sending a
> specially crafted request containing this sequence in the URL path, allowing
> the attacker to traverse beyond the allowed directory and retrieve the
> contents of arbitrary files from the server, leading to information
> disclosure.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
> Root Cause
> tika-app-1.13.jar <= Expand.class : ( , 3.0.24)
> Advisories
> Third Party: https://github.com/sonatype/plexus-utils/issues/20
> Plexus Utils
> Fixed version: Most likely Plexus Utils 3.0.24 or later
> Can we please have Apach Tika release an updated version that uses the fixed
> Third party components?
> Thx & Regards.
> --- Abhijit Rajwade
> BMC Software
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
