[
https://issues.apache.org/jira/browse/TIKA-3053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Moritz closed TIKA-3053.
--------------------------------
Resolution: Fixed
Wrongly reported
> Denial of Service (DoS) in org.apache.cxf:cxf-core 3.3.2
> --------------------------------------------------------
>
> Key: TIKA-3053
> URL: https://issues.apache.org/jira/browse/TIKA-3053
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.23
> Reporter: Michael Moritz
> Priority: Major
>
> This issue has been created automatically by a source code scanner
> ## Third party component with known security vulnerabilities
> ent-search-master/script/vendor_jars > Jars.lock >
> org.apache.cxf:[email protected]
> ## Overview
> [org.apache.cxf:cxf-core](https://github.com/apache/cxf) is a an open source
> services framework. CXF helps you build and develop services using frontend
> programming APIs, like JAX-WS and JAX-RS.
> Affected versions of this package are vulnerable to Denial of Service (DoS).
> Apache CXF does not restrict the number of message attachments present in a
> given message. This leaves open the possibility of a denial of service type
> attack, where a malicious user crafts a message containing a very large
> number of message attachments.
> ## Details
> Denial of Service (DoS) describes a family of attacks, all aimed at making a
> system inaccessible to its intended and legitimate users.
> Unlike other vulnerabilities, DoS attacks usually do not aim at breaching
> security. Rather, they are focused on making websites and services
> unavailable to genuine users resulting in downtime.
> One popular Denial of Service vulnerability is DDoS (a Distributed Denial of
> Service), an attack that attempts to clog network pipes to the system by
> generating a large volume of traffic from many machines.
> When it comes to open source libraries, DoS vulnerabilities allow attackers
> to trigger such a crash or crippling of the service by using a flaw either in
> the application code or from the use of open source libraries.
> Two common types of DoS vulnerabilities:
> * High CPU/Memory Consumption- An attacker sending crafted requests that
> could cause the system to take a disproportionate amount of time to process.
> For example,
> [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).
> * Crash - An attacker sending crafted requests that could cause the system to
> crash. For Example, [npm `ws` package](npm:ws:20171108)
> ## Remediation
> Upgrade `org.apache.cxf:cxf-core` to version 3.3.4, 3.2.11 or higher.
> ## References
> - [CXF Security
> Advisory](http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc)
> -
> [SNYK-JAVA-ORGAPACHECXF-480439](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECXF-480439)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
