[jira] [Commented] (TIKA-3664) [8.6] [CVE-2022-23437] [xercesImpl] [2.12.1]

Fri, 28 Jan 2022 06:06:07 -0800 


    [ 
https://issues.apache.org/jira/browse/TIKA-3664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17483793#comment-17483793
 ] 

Tim Allison commented on TIKA-3664:
-----------------------------------

We have to wait for that to hit a maven repo before we can upgrade.  
@dependabot should let us know.  We're on the cusp of starting the 2.3.0 
release process.  I think we should wait for this.

That said, if you're running Tika on untrusted data, you need to defend against 
infinite loops and other disasters.  You can use the stuff we've build or 
harden your own wrapper.  See: 
https://cwiki.apache.org/confluence/display/TIKA/The+Robustness+of+Apache+Tika

> [8.6] [CVE-2022-23437] [xercesImpl] [2.12.1]
> --------------------------------------------
>
>                 Key: TIKA-3664
>                 URL: https://issues.apache.org/jira/browse/TIKA-3664
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 2.1.0
>            Reporter: Aman Mishra
>            Priority: Major
>
> tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jarĀ 
> tika-bundle-standard is using xercesImpl-2.12.1.jar, which seems to be 
> vulnerable. Please check.
> *Description :*
> *Severity :* Sonatype CVSS 3: 8.6CVE CVSS 2.0: 0.0
> *Weakness :* Sonatype CWE: 611
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* There XML parser when handling specially crafted XML 
> document payloads. This causes, the XercesJ XML parser to wait in an infinite 
> loop, which may sometimes consume system resources for prolonged duration. 
> This vulnerability is present within XercesJ version 2.12.1 and the previous 
> versions.
> *Explanation :* This issue has undergone the Sonatype Fast-Track process. For 
> more information, please see the Sonatype Knowledge Base Guide.
> *Root Cause :* xercesImpl-2.12.1.jar : [ ,2.12.2]
> *Advisories :* Project: 
> [http://www.openwall.com/lists/oss-security/2022/01/24/3]
> *CVSS Details :* Sonatype CVSS 3: 8.6CVSS Vector: 
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
> *Occurences (Paths) :* 
> ["/tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jar"]
> *CVE :* CVE-2022-23437
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437]
> *Remediation :* This component does not have any non-vulnerable Version. 
> Please contact the vendor to get this vulnerability fixed.
> *First Scan Date :* Wed Jan 26 02:49:18 IST 2022



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to