[jira] [Created] (TIKA-2499) Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components.
Abhijit Rajwade created TIKA-2499: - Summary: Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components. Key: TIKA-2499 URL: https://issues.apache.org/jira/browse/TIKA-2499 Project: Tika Issue Type: Bug Affects Versions: 1.13 Reporter: Abhijit Rajwade Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components. Sr No Vulnerability IDDescription from Nexus Auditor Vulnerable Third party componentFixed Third party component 1 SONATYPE-2017-0355 Source Sonatype Data Research Severity Sonatype CVSS 3.0: 7.5 Weakness Sonatype CWE: 20 Explanation jackson-core is vulnerable to Denial of Service (DoS). The _reportInvalidToken() function in the UTF8StreamJsonParser and ReaderBasedJsonParser classes allows large amounts of extraneous data to be printed to the server log. An attacker can exploit this vulnerability by crafting a POST request containing large amounts of data. When the data contains invalid JSON, an exception is thrown, which results in the consumption of available disk space when the error message is written to server.log along with the request data. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause tika-app-1.13.jar <= ReaderBasedJsonParser.class : [2.0.0-RC1, 2.8.6) tika-app-1.13.jar <= UTF8StreamJsonParser.class : [2.0.0-RC1, 2.8.6) Advisories Attack: https://issues.jboss.org/browse/JBEAP-6316 Project: https://github.com/FasterXML/jackson-core/pull/322 Jackson Fixed version: Jackson 2.8.6 or later 2 SONATYPE-2017-0359 Source Sonatype Data Research Severity Sonatype CVSS 3.0: 7.5 Weakness Sonatype CWE: 22 Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The normalizePath() function in the URIBuilder class allows directory traversal characters such as ../. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause tika-app-1.13.jar <= URIBuilder.class : [4.2.1-RC1, 4.5.3) Advisories Project: https://issues.apache.org/jira/browse/HTTPCLIENT-1803 Apache httpcomponents Fixed Version: Apache httpcomponents 4.5.3 or later 3 CVE-2017-12620 Issue CVE-2017-12620 Source National Vulnerability Database Severity Sonatype CVSS 3.0: 7.3 Weakness Sonatype CWE: 611 Description from CVE When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected. Explanation Apache OpenNLP is vulnerable to XML External Entity (XXE) attack. The constructor in the ConstitParseSampleStream class, createDOM() function in the GeneratorFactory class, and the parse() function in the IrishSentenceBankDocument and LetsmtDocument classes allows unsafe external entities when processing XML data from models and dictionaries. A remote attacker can exploit this by submitting specially crafted XML, which can potentially lead to Denial of Service, Information Disclosure, or other attacks. Advisory Deviation Notice The Sonatype security research team discovered that the vulnerability is present in version 1.5.2-incubating-rc1 until 1.8.2, not in all the versions from 1.5.0 till 1.8.2 as the advisory states. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= ConstitParseSampleStream.class : [1.5.3-rc1, 1.7.1) tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= GeneratorFactory.class : [1.5.3-rc1, 1.7.1) Advisories Project: http://opennlp.apache.org/news/cve-2017-12620.html Close Apache OpenNLP Fixed version: Apache OpenNLP 1.8.2 or later 4 SONATYPE-2016-0398 Source Sonatype Data Research Severity Sonatype CVSS 3.0: 7.5 Weakness Sonatype CWE: 22 Explanation Plexus Utils is vulnerable to Directory Traversal. The extractFile() function in the Expand class allows directory traversal characters such as ../ via the entryName parameter. An attacker can exploit this
[jira] [Commented] (TIKA-2499) Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components.
[ https://issues.apache.org/jira/browse/TIKA-2499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16247714#comment-16247714 ] Abhijit Rajwade commented on TIKA-2499: --- Sonatype Nexus Audior shows that all current Apache tika versions including Apache Tika 1.16 are vulnerable. > Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of > vulnerable Third party components. > -- > > Key: TIKA-2499 > URL: https://issues.apache.org/jira/browse/TIKA-2499 > Project: Tika > Issue Type: Bug >Affects Versions: 1.13 >Reporter: Abhijit Rajwade > Labels: Security > > Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of > vulnerable Third party components. > Sr No Vulnerability IDDescription from Nexus Auditor Vulnerable > Third party componentFixed Third party component > 1 SONATYPE-2017-0355 Source Sonatype Data Research > Severity Sonatype CVSS 3.0: 7.5 > Weakness Sonatype CWE: 20 > Explanation > jackson-core is vulnerable to Denial of Service (DoS). The > _reportInvalidToken() function in the UTF8StreamJsonParser and > ReaderBasedJsonParser classes allows large amounts of extraneous data to be > printed to the server log. An attacker can exploit this vulnerability by > crafting a POST request containing large amounts of data. When the data > contains invalid JSON, an exception is thrown, which results in the > consumption of available disk space when the error message is written to > server.log along with the request data. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-app-1.13.jar <= ReaderBasedJsonParser.class : [2.0.0-RC1, 2.8.6) > tika-app-1.13.jar <= UTF8StreamJsonParser.class : [2.0.0-RC1, 2.8.6) > Advisories > Attack: https://issues.jboss.org/browse/JBEAP-6316 > Project: https://github.com/FasterXML/jackson-core/pull/322 > Jackson > Fixed version: Jackson 2.8.6 or later > 2 SONATYPE-2017-0359 Source Sonatype Data Research > Severity Sonatype CVSS 3.0: 7.5 > Weakness Sonatype CWE: 22 > Explanation > The Apache httpcomponents component is vulnerable to Directory Traversal. The > normalizePath() function in the URIBuilder class allows directory traversal > characters such as ../. An attacker can exploit this vulnerability by sending > a specially crafted request containing this sequence in the URL path, > allowing the attacker to traverse beyond the allowed directory and retrieve > the contents of arbitrary files from the server, leading to information > disclosure. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-app-1.13.jar <= URIBuilder.class : [4.2.1-RC1, 4.5.3) > Advisories > Project: https://issues.apache.org/jira/browse/HTTPCLIENT-1803 > Apache httpcomponents > Fixed Version: Apache httpcomponents 4.5.3 or later > 3 CVE-2017-12620 Issue CVE-2017-12620 > Source National Vulnerability Database > Severity Sonatype CVSS 3.0: 7.3 > Weakness Sonatype CWE: 611 > Description from CVE > When loading models or dictionaries that contain XML it is possible to > perform an XXE attack, since Apache OpenNLP is a library, this only affects > applications that load models or dictionaries from untrusted sources. The > versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache > OpenNLP are affected. > Explanation > Apache OpenNLP is vulnerable to XML External Entity (XXE) attack. The > constructor in the ConstitParseSampleStream class, createDOM() function in > the GeneratorFactory class, and the parse() function in the > IrishSentenceBankDocument and LetsmtDocument classes allows unsafe external > entities when processing XML data from models and dictionaries. A remote > attacker can exploit this by submitting specially crafted XML, which can > potentially lead to Denial of Service, Information Disclosure, or other > attacks. > Advisory Deviation Notice > The Sonatype security research team discovered that the vulnerability is > present in version 1.5.2-incubating-rc1 until 1.8.2, not in all the versions > from 1.5.0 till 1.8.2 as the advisory states. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= > ConstitParseSampleStream.class : [1.5.3-rc1, 1.7.1) >
[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable
[
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16369070#comment-16369070
]
Abhijit Rajwade commented on TIKA-2577:
---
Bouncy castle seems to be used by Tika for support of encrypted documents,
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by
> Tika 1.17 is vulnerable
> --
>
> Key: TIKA-2577
> URL: https://issues.apache.org/jira/browse/TIKA-2577
> Project: Tika
> Issue Type: Bug
>Affects Versions: 1.17
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the
> per message key (the {{k}} value in the DSA algorithm) to be predictable
> while generating DSA signatures. A remote attacker can exploit this
> vulnerability to determine the {{k}} value by closely observing the timings
> for the generation of signatures, allowing the attacker to deduce the
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
>
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party:
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable
[
https://issues.apache.org/jira/browse/TIKA-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16369097#comment-16369097
]
Abhijit Rajwade commented on TIKA-2577:
---
Never the less TPS scanning tools like Nexus auditor see bouncy castle
vulnerable version packaged with Apach Tika and report this vulnerability. It
would be nice if you upgraded the Bouncy castle version in a future release so
that we dont have to track this particular exclusion when tracking Nexus
auditor issues for our consuming application
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by
> Tika 1.17 is vulnerable
> --
>
> Key: TIKA-2577
> URL: https://issues.apache.org/jira/browse/TIKA-2577
> Project: Tika
> Issue Type: Bug
>Affects Versions: 1.17
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus Auditor is reporting that the Bouncy castle version used by
> Tika 1.17 (tika-app-1.17.jar) is vulnerable.
> Here are the details of CVE-2016-1000341.
>
> *Explanation*
> {{BouncyCastle}} is vulnerable to a Timing Attack. The
> {{generateSignature()}} function in the {{DSASigner.java}} file allows the
> per message key (the {{k}} value in the DSA algorithm) to be predictable
> while generating DSA signatures. A remote attacker can exploit this
> vulnerability to determine the {{k}} value by closely observing the timings
> for the generation of signatures, allowing the attacker to deduce the
> signer?s private key.
> Detection
> The application is vulnerable by using this component.
>
> *Recommendation*
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
>
> *Root Cause*
> tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
> tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
> Advisories
> Third Party:
> [https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
> Project: [https://www.bouncycastle.org/releasenotes.html]
>
> *Resolution*
> Refer [https://www.bouncycastle.org/releasenotes.html]
> You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
> Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
> --- Abhijit Rajwade
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (TIKA-2577) Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika 1.17 is vulnerable
Abhijit Rajwade created TIKA-2577:
-
Summary: Sonatype Nexus Auditor is reporting that the Bouncy
castle version used by Tika 1.17 is vulnerable
Key: TIKA-2577
URL: https://issues.apache.org/jira/browse/TIKA-2577
Project: Tika
Issue Type: Bug
Affects Versions: 1.17
Reporter: Abhijit Rajwade
Sonatype Nexus Auditor is reporting that the Bouncy castle version used by Tika
1.17 (tika-app-1.17.jar) is vulnerable.
Here are the details of CVE-2016-1000341.
*Explanation*
{{BouncyCastle}} is vulnerable to a Timing Attack. The {{generateSignature()}}
function in the {{DSASigner.java}} file allows the per message key (the {{k}}
value in the DSA algorithm) to be predictable while generating DSA signatures.
A remote attacker can exploit this vulnerability to determine the {{k}} value
by closely observing the timings for the generation of signatures, allowing the
attacker to deduce the signer?s private key.
Detection
The application is vulnerable by using this component.
*Recommendation*
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
*Root Cause*
tika-app-1.17.jar *<=* DSASigner.class : (, 1.56)
tika-app-1.17.jar *<=* DSASigner.class : (,1.56)
Advisories
Third Party:
[https://rdist.root.org/2010/11/19/dsa-requirements-for-rando...|https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/]
Project: [https://www.bouncycastle.org/releasenotes.html]
*Resolution*
Refer [https://www.bouncycastle.org/releasenotes.html]
You can see that Bouncy caste version 1.56 fixes CVE-2016-1000341
Recommend that Apach Tika upgrade Bouncy Castle to version 1.56 or latyer.
--- Abhijit Rajwade
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
Abhijit Rajwade created TIKA-2699: - Summary: Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika Key: TIKA-2699 URL: https://issues.apache.org/jira/browse/TIKA-2699 Project: Tika Issue Type: Bug Affects Versions: 1.18, 1.17 Reporter: Abhijit Rajwade Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika. Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352 The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 or later (1.58, 1.59, 1.60). Can you please upgrade Bouncy castle to a non vulnerable version? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
[ https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563436#comment-16563436 ] Abhijit Rajwade commented on TIKA-2699: --- CVE-2016-1000338 info Issue [CVE-2016-1000338|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000338] Source National Vulnerability Database Severity CVE CVSS 3.0: 7.5 CVE CVSS 2.0: 5.0 Sonatype CVSS 3.0: 3.7 Weakness CVE CWE: [347|https://cwe.mitre.org/data/definitions/347.html] Description from CVE In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure. Explanation DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of “invisible” data into a signed structure. Reference: https://www.bouncycastle.org/releasenotes.html Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause DSASigner.class : [1.47, 1.56) Advisories Project: [https://www.bouncycastle.org/releasenotes.html] > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika > > > Key: TIKA-2699 > URL: https://issues.apache.org/jira/browse/TIKA-2699 > Project: Tika > Issue Type: Bug >Affects Versions: 1.17, 1.18 >Reporter: Abhijit Rajwade >Priority: Major > Labels: security > > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika. > Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352 > The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 > or later (1.58, 1.59, 1.60). > Can you please upgrade Bouncy castle to a non vulnerable version? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
[ https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563437#comment-16563437 ] Abhijit Rajwade commented on TIKA-2699: --- CVE-2016-1000340 info Issue [CVE-2016-1000340|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000340] Source National Vulnerability Database Severity CVE CVSS 3.0: 7.5 CVE CVSS 2.0: 5.0 Sonatype CVSS 3.0: 4.8 Weakness CVE CWE: [19|https://cwe.mitre.org/data/definitions/19.html] Description from CVE In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers. Explanation “Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.” Reference: [http://www.bouncycastle.org/releasenotes.html] Detection The application is vulnerable by using this component with static Elliptic curve Diffie–Hellman (ECDH) ciphersuites enabled. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Functional Root Cause Nat256.class : [1.53,1.56) Nat224.class : [1.53,1.56) Nat128.class : [1.53,1.56) Nat192.class : [1.53,1.56) Nat160.class : [1.53,1.56) Advisories Project: [http://www.bouncycastle.org/releasenotes.html] [Cl|http://vw-aus-bpm-bl06.bmc.com:8070/rest/report/RemedyIST-R/2569778660b34b6cb559f110074e2811/browseReport/index.html] > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika > > > Key: TIKA-2699 > URL: https://issues.apache.org/jira/browse/TIKA-2699 > Project: Tika > Issue Type: Bug >Affects Versions: 1.17, 1.18 >Reporter: Abhijit Rajwade >Priority: Major > Labels: security > > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika. > Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352 > The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 > or later (1.58, 1.59, 1.60). > Can you please upgrade Bouncy castle to a non vulnerable version? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
[ https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563438#comment-16563438 ] Abhijit Rajwade commented on TIKA-2699: --- CVE-2016-1000342 info Issue [CVE-2016-1000342|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000342] Source National Vulnerability Database Severity CVE CVSS 3.0: 7.5 CVE CVSS 2.0: 5.0 Sonatype CVSS 3.0: 3.7 Weakness CVE CWE: [347|https://cwe.mitre.org/data/definitions/347.html] Description from CVE In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure. Explanation ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of “invisible” data into a signed structure. Reference: https://www.bouncycastle.org/releasenotes.html Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause SignatureSpi.class : [1.47, 1.56) Advisories Project: [ https://www.bouncycastle.org/releasenotes.html|https://www.bouncycastle.org/releasenotes.html] > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika > > > Key: TIKA-2699 > URL: https://issues.apache.org/jira/browse/TIKA-2699 > Project: Tika > Issue Type: Bug >Affects Versions: 1.17, 1.18 >Reporter: Abhijit Rajwade >Priority: Major > Labels: security > > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika. > Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340, > CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352 > The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57 > or later (1.58, 1.59, 1.60). > Can you please upgrade Bouncy castle to a non vulnerable version? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
[ https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563437#comment-16563437 ] Abhijit Rajwade edited comment on TIKA-2699 at 7/31/18 10:26 AM: - CVE-2016-1000340 info Issue [CVE-2016-1000340|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000340] Source National Vulnerability Database Severity CVE CVSS 3.0: 7.5 CVE CVSS 2.0: 5.0 Sonatype CVSS 3.0: 4.8 Weakness CVE CWE: [19|https://cwe.mitre.org/data/definitions/19.html] Description from CVE In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers. Explanation “Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.” Reference: [http://www.bouncycastle.org/releasenotes.html] Detection The application is vulnerable by using this component with static Elliptic curve Diffie–Hellman (ECDH) ciphersuites enabled. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Functional Root Cause Nat256.class : [1.53,1.56) Nat224.class : [1.53,1.56) Nat128.class : [1.53,1.56) Nat192.class : [1.53,1.56) Nat160.class : [1.53,1.56) Advisories Project: [http://www.bouncycastle.org/releasenotes.html] was (Author: arajwade): CVE-2016-1000340 info Issue [CVE-2016-1000340|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000340] Source National Vulnerability Database Severity CVE CVSS 3.0: 7.5 CVE CVSS 2.0: 5.0 Sonatype CVSS 3.0: 4.8 Weakness CVE CWE: [19|https://cwe.mitre.org/data/definitions/19.html] Description from CVE In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers. Explanation “Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.” Reference: [http://www.bouncycastle.org/releasenotes.html] Detection The application is vulnerable by using this component with static Elliptic curve Diffie–Hellman (ECDH) ciphersuites enabled. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Functional Root Cause Nat256.class : [1.53,1.56) Nat224.class : [1.53,1.56) Nat128.class : [1.53,1.56) Nat192.class : [1.53,1.56) Nat160.class : [1.53,1.56) Advisories Project: [http://www.bouncycastle.org/releasenotes.html] [Cl|http://vw-aus-bpm-bl06.bmc.com:8070/rest/report/RemedyIST-R/2569778660b34b6cb559f110074e2811/browseReport/index.html] > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika > > > Key: TIKA-2699 > URL: https://issues.apache.org/jira/browse/TIKA-2699 > Project: Tika > Issue Type: Bug >Affects Versions: 1.17, 1.18 >Reporter: Abhijit Rajwade >Priority: Major > Labels: security > > Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the > bouncy castle version used by Apache Tika. > Vulnerabilities reported are
[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
[
https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563439#comment-16563439
]
Abhijit Rajwade commented on TIKA-2699:
---
CVE-2016-1000343 info
Issue
[CVE-2016-1000343|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000343]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.5
CVE CVSS 2.0: 5.0
Sonatype CVSS 3.0: 3.7
Weakness
CVE CWE: [310|https://cwe.mitre.org/data/definitions/310.html]
Description from CVE
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair
generator generates a weak private key if used with default values. If the JCA
key pair generator is not explicitly initialised with DSA parameters, 1.55 and
earlier generates a private value assuming a 1024 bit key size. In earlier
releases this can be dealt with by explicitly passing parameters to the key
pair generator.
Explanation
{{BouncyCastle}} package is vulnerable to weak key generation when using DSA
for encryption and/or signing. The generateKeyPair(){{method in
the}}KeyPairGeneratorSp` class uses a small value when generating the private
key. This makes it easier for an attacker to brute-force the private key, which
will result in the decryption of information or impersonation of the vulnerable
server.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
Root Cause
KeyPairGeneratorSpi.class : [1.47, 1.56)
Advisories
Project: [https://www.bouncycastle.org/releasenotes.html]
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika
>
>
> Key: TIKA-2699
> URL: https://issues.apache.org/jira/browse/TIKA-2699
> Project: Tika
> Issue Type: Bug
>Affects Versions: 1.17, 1.18
>Reporter: Abhijit Rajwade
>Priority: Major
> Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57
> or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
[
https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563441#comment-16563441
]
Abhijit Rajwade commented on TIKA-2699:
---
CVE-2016-1000344 info
Issue
[CVE-2016-1000344|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000344]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.4
CVE CVSS 2.0: 5.8
Sonatype CVSS 3.0: 4.8
Weakness
CVE CWE: [310|https://cwe.mitre.org/data/definitions/310.html]
Description from CVE
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES
implementation allowed the use of ECB mode. This mode is regarded as unsafe and
support for it has been removed from the provider.
Explanation
BouncyCastle uses an insecure encryption method when encrypting data using the
Diffie-Hellman key exchange algorithm. The {{engineInit}} method in the
{{IESCipher}} class and {{configure}} method in the {{DH}} class implement the
ECB mode for encryption, which may result in information about the clear text
being leaked into the encrypted cipher text. An attacker with access to the
encrypted data can exploit this vulnerability by analyzing the encrypted data
for patterns that reveal information about the clear text.
Detection
The application is vulnerable by using this component and making use of ECB
mode encryption.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Functional
Data
Root Cause
IESCipher.class : [1.49, 1.56)
DH.class : [1.49, 1.56)
Advisories
Project:
[https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vu...|https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vulnerabilities-21455]
Project: [https://github.com/bcgit/bc-java]
Project: [https://www.bouncycastle.org/releasenotes.html]
Project: [https://github.com/bcgit/bc-java]
Project:
[https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vu...|https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vulnerabilities-21455]
Project: [https://www.bouncycastle.org/releasenotes.html]
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika
>
>
> Key: TIKA-2699
> URL: https://issues.apache.org/jira/browse/TIKA-2699
> Project: Tika
> Issue Type: Bug
>Affects Versions: 1.17, 1.18
>Reporter: Abhijit Rajwade
>Priority: Major
> Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57
> or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (TIKA-2699) Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the bouncy castle version used by Apache Tika
[
https://issues.apache.org/jira/browse/TIKA-2699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563444#comment-16563444
]
Abhijit Rajwade commented on TIKA-2699:
---
CVE-2016-1000352 info
Issue
[CVE-2016-1000352|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000352]
Source
National Vulnerability Database
Severity
CVE CVSS 3.0: 7.4
CVE CVSS 2.0: 5.8
Sonatype CVSS 3.0: 4.8
Weakness
CVE CWE: [310|https://cwe.mitre.org/data/definitions/310.html]
Description from CVE
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES
implementation allowed the use of ECB mode. This mode is regarded as unsafe and
support for it has been removed from the provider.
Explanation
BouncyCastle uses an insecure encryption method when encrypting data using the
elliptic curve key exchange algorithm. The {{engineInit}} method in the
{{IESCipher}} class and {{configure}} method in the {{EC}} class implement the
ECB mode for encryption, which may result in information about the clear text
being leaked into the encrypted cipher text. An attacker with access to the
encrypted data can exploit this vulnerability by analyzing the encrypted data
for patterns that reveal information about the clear text.
Detection
The application is vulnerable by using this component and making use of ECB
mode encryption
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Functional
Data
Root Cause
IESCipher.class : [1.49, 1.56)
EC.class : [1.49, 1.56)
Advisories
Project:
[https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vu...|https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vulnerabilities-21455]
Project: [https://github.com/bcgit/bc-java]
Project: [https://www.bouncycastle.org/releasenotes.html]
Project: [https://www.bouncycastle.org/releasenotes.html]
Project: [https://github.com/bcgit/bc-java]
Project:
[https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vu...|https://vigilance.fr/vulnerability/Bouncy-Castle-multiple-vulnerabilities-21455]
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika
>
>
> Key: TIKA-2699
> URL: https://issues.apache.org/jira/browse/TIKA-2699
> Project: Tika
> Issue Type: Bug
>Affects Versions: 1.17, 1.18
>Reporter: Abhijit Rajwade
>Priority: Major
> Labels: security
>
> Security: Sonatype Nexus scan is reporting multiple vulnearbilities on the
> bouncy castle version used by Apache Tika.
> Vulnerabilities reported are CVE-2016-1000338, CVE-2016-1000340,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352
> The recommendation is to upgrade to non vulnerable Bouncy castle version 1.57
> or later (1.58, 1.59, 1.60).
> Can you please upgrade Bouncy castle to a non vulnerable version?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (TIKA-2717) Sonatype Nexus auditor is reporting that Jackson databind version used by Apache Tika is vulnerable
Abhijit Rajwade created TIKA-2717:
-
Summary: Sonatype Nexus auditor is reporting that Jackson databind
version used by Apache Tika is vulnerable
Key: TIKA-2717
URL: https://issues.apache.org/jira/browse/TIKA-2717
Project: Tika
Issue Type: Bug
Components: core
Affects Versions: 1.18
Reporter: Abhijit Rajwade
Sonatype Nexus auditor is reporting that Jackson databind version used by
Apache Tika is vulnerable. Recommendation is not to use global default typing
with Jackson,
Refer following for details.
Source Sonatype Data Research
Severity Sonatype CVSS 3.0: 8.5
Weakness Sonatype CWE: [502|https://cwe.mitre.org/data/definitions/502.html]
Explanation
{{jackson-databind}} is vulnerable to Remote Code Execution (RCE). The
{{createBeanDeserializer()}} function in the {{BeanDeserializerFactory}} class
allows untrusted Java objects to be deserialized. A remote attacker can exploit
this by uploading a malicious serialized object that will result in RCE if the
application attempts to deserialize it.
Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525,
CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, and CVE-2018-7489. Evidence of
this can be found at [https://pivotal.io/security/cve-2017-4995]:
{quote}Jackson provides a blacklisting approach to protecting against this type
of attack, but Spring Security should be proactive against blocking unknown
“deserialization gadgets” when Spring Security enables default typing.
{quote}
Detection
The application is vulnerable by using this component, when default typing is
enabled and passing in untrusted data to be deserialization.
Note: Spring Security has provided their own fix for this vulnerability
([CVE-2017-4995|https://pivotal.io/security/cve-2017-4995]). If this component
is being used as part of Spring Security, then you are not vulnerable if you
are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security
5.0.0.M2 or greater for 5.x.
Recommendation
There is no non vulnerable version of this component. We recommend
investigating alternative components or a potential mitigating control.
Workaround: Do not use the default typing. Instead you will need to implement
your own.
{quote}It is also possible to customize global defaulting, using
ObjectMapper.setDefaultTyping(…) – you just have to implement your own
TypeResolverBuilder (which is not very difficult); and by doing so, can
actually configure all aspects of type information. Builder itself is just a
short-cut for building actual handlers.
{quote}
Reference:
[https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
Examples of implementing your own typing can be found by looking at [Spring
Security's
fix|https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439]
or [this Stack Overflow
article|https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism].
Categories
Data
Root Cause
tika-app-1.18.jar *<=* SubTypeValidator.class : [2.9.5, )
Advisories
Attack:
[https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cv...|https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/]
Evidence: [https://pivotal.io/security/cve-2017-4995]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (TIKA-2716) Sonatype Nexus auditor is reporting that spring framework vesrion used by Tika 1.18 is vulnerable
Abhijit Rajwade created TIKA-2716:
-
Summary: Sonatype Nexus auditor is reporting that spring framework
vesrion used by Tika 1.18 is vulnerable
Key: TIKA-2716
URL: https://issues.apache.org/jira/browse/TIKA-2716
Project: Tika
Issue Type: Bug
Components: core
Affects Versions: 1.18
Reporter: Abhijit Rajwade
Sonatype Nexus auditor is reporting that spring framework version used by
Apache Tika 1.18 is vulnerable. Recommendation is to upgrade to a non
vulnerable version of Spring framework - 4.3.15/later or 5.0.5/later
Refer following details
Issue
[CVE-2018-1270|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1270]
Source National Vulnerability Database
Severity
CVE CVSS 3.0: 9.8
CVE CVSS 2.0: 7.5
Sonatype CVSS 3.0: 9.8
Weakness
CVE CWE: [358|https://cwe.mitre.org/data/definitions/358.html]
Description from CVE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15
and older unsupported versions, allow applications to expose STOMP over
WebSocket endpoints with a simple, in-memory STOMP broker through the
spring-messaging module. A malicious user (or attacker) can craft a message to
the broker that can lead to a remote code execution attack.
Explanation
The Spring Framework {{spring-messaging}} module is vulnerable to Remote Code
Execution (RCE). The {{getMethods()}} method in the
{{ReflectiveMethodResolver}} class, the {{canWrite}} method in the
{{ReflectivePropertyAccessor}} class, and the {{filterSubscriptions()}} method
in the {{DefaultSubscriptionRegistry}} class do not properly restrict SpEL
expression evaluation. A remote attacker can exploit this vulnerability by
crafting a request to an exposed STOMP endpoint and injecting a malicious
payload into the {{selector}} header. The application would then execute the
payload via a call to {{expression.getValue()}} whenever a new message is sent
to the broker.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
Root Cause
tika-app-1.18.jar *<=* ReflectivePropertyAccessor.class : [3.0.0.RELEASE ,
4.3.15.RELEASE)
tika-app-1.18.jar *<=* ReflectiveMethodResolver.class : [3.0.0.RELEASE ,
4.3.15.RELEASE)
Advisories
Attack: [http://www.polaris-lab.com/index.php/archives/501/]
Attack:
[https://chybeta.github.io/2018/04/07/spring-messaging-Remote...|https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution-%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/]
Project: [https://jira.spring.io/browse/SPR-16588]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (TIKA-2686) pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be upgraded to 2.0.11
Abhijit Rajwade created TIKA-2686: - Summary: pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be upgraded to 2.0.11 Key: TIKA-2686 URL: https://issues.apache.org/jira/browse/TIKA-2686 Project: Tika Issue Type: Bug Components: core Affects Versions: 1.18, 1.17 Reporter: Abhijit Rajwade Sonatype Nexus scan on Apach Tika 1.18 reports CVE-2018-8036 on pdfbox fontbox version 2.0.8 used by Tika 1.17 Details of the lssue from Sonatype Nexus auditor are as follows. Issue [CVE-2018-8036|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8036] Source National Vulnerability Database Severity Sonatype CVSS 3.0: 7.5 Weakness Sonatype CWE: [400|https://cwe.mitre.org/data/definitions/400.html] Description from CVE: In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser. Categories Data Root Cause fontbox-2.0.8.jar : [2.0.0, 2.0.11) Advisories Third Party: [https://bugzilla.redhat.com/show_bug.cgi?id=1597490] Project: https://issues.apache.org/jira/browse/PDFBOX-4251 Sonatype recommendation is to update pdfbox fontbox to non vulnerable version 2.0.11 Can you please update pdfbox fontbox version used by Apache Tika? --- Abhijit Rajwade -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TIKA-2802) Out of memory issues when extracting large files (pst)
[ https://issues.apache.org/jira/browse/TIKA-2802?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16743200#comment-16743200 ] Abhijit Rajwade commented on TIKA-2802: --- In which Tika version will this get resolved? > Out of memory issues when extracting large files (pst) > -- > > Key: TIKA-2802 > URL: https://issues.apache.org/jira/browse/TIKA-2802 > Project: Tika > Issue Type: Bug > Components: parser >Affects Versions: 1.20, 1.19.1 > Environment: Reproduced on Windows 2012 R2 and Ubuntu 18.04. > Java: jdk1.8.0_151 > >Reporter: Caleb Ott >Priority: Critical > Attachments: Selection_111.png, Selection_117.png > > > I have an application that extracts text from multiple files on a file share. > I've been running into issues with the application running out of memory > (~26g dedicated to the heap). > I found in the heap dumps there is a "fDTDDecl" buffer which is creating very > large char arrays and never releasing that memory. In the picture you can see > the heap dump with 4 SAXParsers holding onto a large chunk of memory. The > fourth one is expanded to show it is all being held by the "fDTDDecl" field. > This dump is from a scaled down execution (not a 26g heap). > It looks like that DTD field should never be that large, I'm wondering if > this is a bug with xerces instead? I can easily reproduce the issue by > attempting to extract text from large .pst files. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TIKA-2717) Sonatype Nexus auditor is reporting that Jackson databind version used by Apache Tika is vulnerable
[
https://issues.apache.org/jira/browse/TIKA-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16756092#comment-16756092
]
Abhijit Rajwade commented on TIKA-2717:
---
Vulnerability is reported on {color:#00}org.apache.tika : tika-app :
1.18{color} and later.
Seems tika-app is using some dependency whivh in turn is using Jackson.
Jackson 2.9.8 has a fix which is partial. Recommendation is not to use global
default typing when using Jackson.
[~talli...@apache.org] hope this helps.
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable
> ---
>
> Key: TIKA-2717
> URL: https://issues.apache.org/jira/browse/TIKA-2717
> Project: Tika
> Issue Type: Bug
> Components: core
>Affects Versions: 1.18
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable. Recommendation is not to use global default typing
> with Jackson,
> Refer following for details.
>
> Source Sonatype Data Research
>
> Severity Sonatype CVSS 3.0: 8.5
>
> Weakness Sonatype CWE: [502|https://cwe.mitre.org/data/definitions/502.html]
>
> Explanation
> {{jackson-databind}} is vulnerable to Remote Code Execution (RCE). The
> {{createBeanDeserializer()}} function in the {{BeanDeserializerFactory}}
> class allows untrusted Java objects to be deserialized. A remote attacker can
> exploit this by uploading a malicious serialized object that will result in
> RCE if the application attempts to deserialize it.
> Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525,
> CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, and CVE-2018-7489. Evidence of
> this can be found at [https://pivotal.io/security/cve-2017-4995]:
> {quote}Jackson provides a blacklisting approach to protecting against this
> type of attack, but Spring Security should be proactive against blocking
> unknown “deserialization gadgets” when Spring Security enables default typing.
> {quote}
>
> Detection
> The application is vulnerable by using this component, when default typing is
> enabled and passing in untrusted data to be deserialization.
> Note: Spring Security has provided their own fix for this vulnerability
> ([CVE-2017-4995|https://pivotal.io/security/cve-2017-4995]). If this
> component is being used as part of Spring Security, then you are not
> vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for
> 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
>
> Recommendation
> There is no non vulnerable version of this component. We recommend
> investigating alternative components or a potential mitigating control.
> Workaround: Do not use the default typing. Instead you will need to implement
> your own.
> {quote}It is also possible to customize global defaulting, using
> ObjectMapper.setDefaultTyping(…) – you just have to implement your own
> TypeResolverBuilder (which is not very difficult); and by doing so, can
> actually configure all aspects of type information. Builder itself is just a
> short-cut for building actual handlers.
> {quote}
>
> Reference:
> [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
> Examples of implementing your own typing can be found by looking at [Spring
> Security's
> fix|https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439]
> or [this Stack Overflow
> article|https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism].
>
> Categories
> Data
> Root Cause
> tika-app-1.18.jar *<=* SubTypeValidator.class : [2.9.5, )
> Advisories
> Attack:
> [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cv...|https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/]
> Evidence: [https://pivotal.io/security/cve-2017-4995]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (TIKA-2717) Sonatype Nexus auditor is reporting that Jackson databind version used by Apache Tika is vulnerable
[
https://issues.apache.org/jira/browse/TIKA-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16757010#comment-16757010
]
Abhijit Rajwade edited comment on TIKA-2717 at 1/31/19 8:32 AM:
I checked tika-app 1.20 jar
It has following dependency.
jackson-databind ([http://github.com/FasterXML/jackson])
com.fasterxml.jackson.core:jackson-databind:bundle:2.9.7
This is referred in tika-parsers pom.xml
Check if you have a Tika Parser for Json that uses Jackson deserialization.
If that code does not use Global default typing, then tika-app is not
vulnerable.
In any case it is better to upgrade to jackson-databind 2.9.8 that has the
partial fix.
[~talli...@apache.org] hope this helps.
Updated defect to Crtical.
was (Author: arajwade):
I checked tika-app 1.20 jar
It has following dependency.
jackson-databind (http://github.com/FasterXML/jackson)
com.fasterxml.jackson.core:jackson-databind:bundle:2.9.7
This is referred in tika-parsers pom.xml
Check if you have a Tika Parser for Json that uses Jackson deserialization.
If that code does not use Global default typing, then tika-app is not
vulnerable.
In any case it is better to upgrade to jackson-databind 2.9.8 that has the
partial fix.
[~talli...@apache.org] hope this helps.
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable
> ---
>
> Key: TIKA-2717
> URL: https://issues.apache.org/jira/browse/TIKA-2717
> Project: Tika
> Issue Type: Bug
> Components: core
>Affects Versions: 1.18
>Reporter: Abhijit Rajwade
>Priority: Critical
>
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable. Recommendation is not to use global default typing
> with Jackson,
> Refer following for details.
>
> Source Sonatype Data Research
>
> Severity Sonatype CVSS 3.0: 8.5
>
> Weakness Sonatype CWE: [502|https://cwe.mitre.org/data/definitions/502.html]
>
> Explanation
> {{jackson-databind}} is vulnerable to Remote Code Execution (RCE). The
> {{createBeanDeserializer()}} function in the {{BeanDeserializerFactory}}
> class allows untrusted Java objects to be deserialized. A remote attacker can
> exploit this by uploading a malicious serialized object that will result in
> RCE if the application attempts to deserialize it.
> Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525,
> CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, and CVE-2018-7489. Evidence of
> this can be found at [https://pivotal.io/security/cve-2017-4995]:
> {quote}Jackson provides a blacklisting approach to protecting against this
> type of attack, but Spring Security should be proactive against blocking
> unknown “deserialization gadgets” when Spring Security enables default typing.
> {quote}
>
> Detection
> The application is vulnerable by using this component, when default typing is
> enabled and passing in untrusted data to be deserialization.
> Note: Spring Security has provided their own fix for this vulnerability
> ([CVE-2017-4995|https://pivotal.io/security/cve-2017-4995]). If this
> component is being used as part of Spring Security, then you are not
> vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for
> 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
>
> Recommendation
> There is no non vulnerable version of this component. We recommend
> investigating alternative components or a potential mitigating control.
> Workaround: Do not use the default typing. Instead you will need to implement
> your own.
> {quote}It is also possible to customize global defaulting, using
> ObjectMapper.setDefaultTyping(…) – you just have to implement your own
> TypeResolverBuilder (which is not very difficult); and by doing so, can
> actually configure all aspects of type information. Builder itself is just a
> short-cut for building actual handlers.
> {quote}
>
> Reference:
> [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
> Examples of implementing your own typing can be found by looking at [Spring
> Security's
> fix|https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439]
> or [this Stack Overflow
> article|https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism].
>
> Categories
> Data
> Root Cause
> tika-app-1.18.jar *<=* SubTypeValidator.class : [2.9.5, )
> Advisories
> Attack:
> [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cv...|https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/]
> Evidence: [https://pivotal.io/security/cve-2017-4995]
--
This message was sent by Atlassian JIRA
[jira] [Commented] (TIKA-2717) Sonatype Nexus auditor is reporting that Jackson databind version used by Apache Tika is vulnerable
[
https://issues.apache.org/jira/browse/TIKA-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16757010#comment-16757010
]
Abhijit Rajwade commented on TIKA-2717:
---
I checked tika-app 1.20 jar
It has following dependency.
jackson-databind (http://github.com/FasterXML/jackson)
com.fasterxml.jackson.core:jackson-databind:bundle:2.9.7
This is referred in tika-parsers pom.xml
Check if you have a Tika Parser for Json that uses Jackson deserialization.
If that code does not use Global default typing, then tika-app is not
vulnerable.
In any case it is better to upgrade to jackson-databind 2.9.8 that has the
partial fix.
[~talli...@apache.org] hope this helps.
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable
> ---
>
> Key: TIKA-2717
> URL: https://issues.apache.org/jira/browse/TIKA-2717
> Project: Tika
> Issue Type: Bug
> Components: core
>Affects Versions: 1.18
>Reporter: Abhijit Rajwade
>Priority: Major
>
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable. Recommendation is not to use global default typing
> with Jackson,
> Refer following for details.
>
> Source Sonatype Data Research
>
> Severity Sonatype CVSS 3.0: 8.5
>
> Weakness Sonatype CWE: [502|https://cwe.mitre.org/data/definitions/502.html]
>
> Explanation
> {{jackson-databind}} is vulnerable to Remote Code Execution (RCE). The
> {{createBeanDeserializer()}} function in the {{BeanDeserializerFactory}}
> class allows untrusted Java objects to be deserialized. A remote attacker can
> exploit this by uploading a malicious serialized object that will result in
> RCE if the application attempts to deserialize it.
> Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525,
> CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, and CVE-2018-7489. Evidence of
> this can be found at [https://pivotal.io/security/cve-2017-4995]:
> {quote}Jackson provides a blacklisting approach to protecting against this
> type of attack, but Spring Security should be proactive against blocking
> unknown “deserialization gadgets” when Spring Security enables default typing.
> {quote}
>
> Detection
> The application is vulnerable by using this component, when default typing is
> enabled and passing in untrusted data to be deserialization.
> Note: Spring Security has provided their own fix for this vulnerability
> ([CVE-2017-4995|https://pivotal.io/security/cve-2017-4995]). If this
> component is being used as part of Spring Security, then you are not
> vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for
> 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
>
> Recommendation
> There is no non vulnerable version of this component. We recommend
> investigating alternative components or a potential mitigating control.
> Workaround: Do not use the default typing. Instead you will need to implement
> your own.
> {quote}It is also possible to customize global defaulting, using
> ObjectMapper.setDefaultTyping(…) – you just have to implement your own
> TypeResolverBuilder (which is not very difficult); and by doing so, can
> actually configure all aspects of type information. Builder itself is just a
> short-cut for building actual handlers.
> {quote}
>
> Reference:
> [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
> Examples of implementing your own typing can be found by looking at [Spring
> Security's
> fix|https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439]
> or [this Stack Overflow
> article|https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism].
>
> Categories
> Data
> Root Cause
> tika-app-1.18.jar *<=* SubTypeValidator.class : [2.9.5, )
> Advisories
> Attack:
> [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cv...|https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/]
> Evidence: [https://pivotal.io/security/cve-2017-4995]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (TIKA-2717) Sonatype Nexus auditor is reporting that Jackson databind version used by Apache Tika is vulnerable
[
https://issues.apache.org/jira/browse/TIKA-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abhijit Rajwade updated TIKA-2717:
--
Priority: Critical (was: Major)
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable
> ---
>
> Key: TIKA-2717
> URL: https://issues.apache.org/jira/browse/TIKA-2717
> Project: Tika
> Issue Type: Bug
> Components: core
>Affects Versions: 1.18
>Reporter: Abhijit Rajwade
>Priority: Critical
>
> Sonatype Nexus auditor is reporting that Jackson databind version used by
> Apache Tika is vulnerable. Recommendation is not to use global default typing
> with Jackson,
> Refer following for details.
>
> Source Sonatype Data Research
>
> Severity Sonatype CVSS 3.0: 8.5
>
> Weakness Sonatype CWE: [502|https://cwe.mitre.org/data/definitions/502.html]
>
> Explanation
> {{jackson-databind}} is vulnerable to Remote Code Execution (RCE). The
> {{createBeanDeserializer()}} function in the {{BeanDeserializerFactory}}
> class allows untrusted Java objects to be deserialized. A remote attacker can
> exploit this by uploading a malicious serialized object that will result in
> RCE if the application attempts to deserialize it.
> Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525,
> CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, and CVE-2018-7489. Evidence of
> this can be found at [https://pivotal.io/security/cve-2017-4995]:
> {quote}Jackson provides a blacklisting approach to protecting against this
> type of attack, but Spring Security should be proactive against blocking
> unknown “deserialization gadgets” when Spring Security enables default typing.
> {quote}
>
> Detection
> The application is vulnerable by using this component, when default typing is
> enabled and passing in untrusted data to be deserialization.
> Note: Spring Security has provided their own fix for this vulnerability
> ([CVE-2017-4995|https://pivotal.io/security/cve-2017-4995]). If this
> component is being used as part of Spring Security, then you are not
> vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for
> 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
>
> Recommendation
> There is no non vulnerable version of this component. We recommend
> investigating alternative components or a potential mitigating control.
> Workaround: Do not use the default typing. Instead you will need to implement
> your own.
> {quote}It is also possible to customize global defaulting, using
> ObjectMapper.setDefaultTyping(…) – you just have to implement your own
> TypeResolverBuilder (which is not very difficult); and by doing so, can
> actually configure all aspects of type information. Builder itself is just a
> short-cut for building actual handlers.
> {quote}
>
> Reference:
> [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization]
> Examples of implementing your own typing can be found by looking at [Spring
> Security's
> fix|https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439]
> or [this Stack Overflow
> article|https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism].
>
> Categories
> Data
> Root Cause
> tika-app-1.18.jar *<=* SubTypeValidator.class : [2.9.5, )
> Advisories
> Attack:
> [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cv...|https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/]
> Evidence: [https://pivotal.io/security/cve-2017-4995]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (TIKA-2855) pdfbox version used by both Apache Tika 1.19.1 and 1.20 is vulnerable
Abhijit Rajwade created TIKA-2855: - Summary: pdfbox version used by both Apache Tika 1.19.1 and 1.20 is vulnerable Key: TIKA-2855 URL: https://issues.apache.org/jira/browse/TIKA-2855 Project: Tika Issue Type: Bug Components: core Affects Versions: 1.19.1 Reporter: Abhijit Rajwade As per Sonatype Nexus Auditor, pdfbox versions upto 2.0.14 are vulnerable to "CVE-2019-0228: possible XML External Entity (XXE) attack". Recommended fix is to upgrade to pdfbox version 2.0.15 Refer following pdfbox issue https://issues.apache.org/jira/browse/PDFBOX-4505 which is fixed on version 2.0.15 Can you please upgrade Apache Tika to use pdfbox 2.0.15? Following are details from the Sonatype Nexus scan report Issue: CVE-2019-0228 Severity: Sonatype CVSS 3.0: 7.3 Weakness: Sonatype CWE: 611 Source: National Vulnerability Database Categories: Data Description from CVE: apache pdfbox - XML External Entity (XXE) Root Cause: pdfbox-2.0.12.jar : ( , 2.0.15) Advisories: Project: https://github.com/apache/pdfbox-docs/commit/b7869c3e4c62c5d... Project: https://issues.apache.org/jira/browse/PDFBOX-4505 Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1699740 CVSS Details: Sonatype CVSS 3.0: 7.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16953702#comment-16953702 ] Abhijit Rajwade commented on TIKA-2890: --- Tim We are currently using Apache Tika 1.22 released version. I share the same frustration as you - the Security recommendations keep on changing daily and have to keep pace with it. Jackson 2.10.0 has a longer lasting fix for the known ploymorphic typing vulnerability / global default typing. It would be better if you update Jackson to 2.10.0 Yes you can do just before release to make sure no newer recommendation comes for Jackson, > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16953492#comment-16953492 ] Abhijit Rajwade edited comment on TIKA-2890 at 10/17/19 8:21 AM: - [~hudson] Jackson version 2.10.0 has a fix for the long standing vulnerability with global default typing / polymorphic de-serialization. Refer following links for more info https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10 Can you please upgrade to Jackson 2.10.0? was (Author: arajwade): Jackson version 2.10.0 has a fix for the long standing vulnerability with global default typing / polymorphic de-serialization. Refer following links for more info https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10 Can you please upgrade to Jackson 2.10.0? > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2890) Critical security vulnerability in depedencies
[ https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16953492#comment-16953492 ] Abhijit Rajwade commented on TIKA-2890: --- Jackson version 2.10.0 has a fix for the long standing vulnerability with global default typing / polymorphic de-serialization. Refer following links for more info https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10 Can you please upgrade to Jackson 2.10.0? > Critical security vulnerability in depedencies > -- > > Key: TIKA-2890 > URL: https://issues.apache.org/jira/browse/TIKA-2890 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.21 >Reporter: Kyle DuPont >Priority: Major > Fix For: 1.23 > > Original Estimate: 1h > Remaining Estimate: 1h > > The parser dependency jackson-databind:2.9.8 has a critical vulnerability as > per: > [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029] > This should be bumped to >2.9.9 to resolve this vulnerability. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-2952) Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
[ https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17020833#comment-17020833 ] Abhijit Rajwade commented on TIKA-2952: --- [~tallison] [~stappe2019] I see that for CVE-2019-14262 in com.drewnoakes : metadata-extractor : 2.11.0, there is a fix done for the Java side https://github.com/drewnoakes/metadata-extractor/pull/420 which fixes the issue reported in https://github.com/drewnoakes/metadata-extractor/issues/419 There is a new drewnoaks metadata-extractor release https://github.com/drewnoakes/metadata-extractor/releases/tag/2.13.0 that has the PR #420 fix. Can you please double check this? If above information is correct, this issue can be resolved by upgradeing metadata-extractor to version 2.13 in next Apache Tika release. > Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22. > --- > > Key: TIKA-2952 > URL: https://issues.apache.org/jira/browse/TIKA-2952 > Project: Tika > Issue Type: Bug >Reporter: Aman Mishra >Priority: Major > > We can see that metadata-extractor with version 2.11.0 is present in > tika-bundle 1.22 jar. We can see that even latest metadata-extractor with > version 2.12.0 is also vulnerable. > > So please confirm your side that "Is this vulnerability [CVE-2019-14262] is > impacting to tika or not ?" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
Abhijit Rajwade created TIKA-3018: - Summary: log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 Key: TIKA-3018 URL: https://issues.apache.org/jira/browse/TIKA-3018 Project: Tika Issue Type: Bug Components: core Affects Versions: 1.23 Reporter: Abhijit Rajwade Sonatype Nexus auditor is reporting following log4j related security issue on Apache Tika 1.23. Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. Can you please check if Apache Tika vulnerable and if so upgrade based on the recommendation? Description Description from CVE Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Explanation The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class do not verify if the file at a given file path contains any untrusted objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing a path to crafted files, which result in arbitrary code execution when deserialized. NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2. Detection The application is vulnerable by using this component. Recommendation Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2. Therefore, it is recommended to upgrade to org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For log4j:log4j 1.x versions however, a fix does not exist. Root Cause tika-app-1.23.jar <= org/apache/log4j/net/SocketServer.class : (,) Advisories Project: https://issues.apache.org/jira/browse/LOG4J2-1863 Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d… Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616 CVSS Details Sonatype CVSS 3: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3094) Apache Tika fails to extract text for pptx extension.
[ https://issues.apache.org/jira/browse/TIKA-3094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17095133#comment-17095133 ] Abhijit Rajwade commented on TIKA-3094: --- I am working with [~abchauha] on this issue. One question. I do not see reference to SparseBitSet in Tika 1.24 sources. Is it required because Tika 1.24 uses POI 4.1.2 and POI added dependency on SparseBitSet 1.2? > Apache Tika fails to extract text for pptx extension. > - > > Key: TIKA-3094 > URL: https://issues.apache.org/jira/browse/TIKA-3094 > Project: Tika > Issue Type: Bug >Affects Versions: 1.24 >Reporter: Abhishek Chauhan >Priority: Major > Attachments: Sample PPT.pptx > > > This is regressed from 1.23 version of Apache Tika. Text extraction for .pptx > ententions which was earlier working with Apache Tika 1.23 is no longer > working in 1.24 version. > For .ppt extention it is working fine in both 1.23 and 1.24 > > As I referred to release notes [https://tika.apache.org/1.24/index.html], you > have updated the POI to 4.1.2. That might be the root cause of this problem. > POI requires [https://mvnrepository.com/artifact/com.zaxxer/SparseBitSet/1.2] > which is not present in bundle I guess. > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (TIKA-3094) Apache Tika fails to extract text for pptx extension.
[ https://issues.apache.org/jira/browse/TIKA-3094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17095133#comment-17095133 ] Abhijit Rajwade edited comment on TIKA-3094 at 4/29/20, 7:37 AM: - I am working with [~abchauha] on this issue. One question. I do not see reference to SparseBitSet in Tika 1.24 sources. Is it required because Tika 1.24 uses POI 4.1.2 and POI added dependency on SparseBitSet 1.2? Does the same issue exists with Tika 1.24.1 as well? was (Author: arajwade): I am working with [~abchauha] on this issue. One question. I do not see reference to SparseBitSet in Tika 1.24 sources. Is it required because Tika 1.24 uses POI 4.1.2 and POI added dependency on SparseBitSet 1.2? > Apache Tika fails to extract text for pptx extension. > - > > Key: TIKA-3094 > URL: https://issues.apache.org/jira/browse/TIKA-3094 > Project: Tika > Issue Type: Bug >Affects Versions: 1.24 >Reporter: Abhishek Chauhan >Priority: Major > Attachments: Sample PPT.pptx > > > This is regressed from 1.23 version of Apache Tika. Text extraction for .pptx > ententions which was earlier working with Apache Tika 1.23 is no longer > working in 1.24 version. > For .ppt extention it is working fine in both 1.23 and 1.24 > > As I referred to release notes [https://tika.apache.org/1.24/index.html], you > have updated the POI to 4.1.2. That might be the root cause of this problem. > POI requires [https://mvnrepository.com/artifact/com.zaxxer/SparseBitSet/1.2] > which is not present in bundle I guess. > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3094) Apache Tika fails to extract text for pptx extension.
[ https://issues.apache.org/jira/browse/TIKA-3094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17096324#comment-17096324 ] Abhijit Rajwade commented on TIKA-3094: --- Yes [~bob] thanks a lot for the prompt fix. > Apache Tika fails to extract text for pptx extension. > - > > Key: TIKA-3094 > URL: https://issues.apache.org/jira/browse/TIKA-3094 > Project: Tika > Issue Type: Bug >Affects Versions: 1.24 >Reporter: Abhishek Chauhan >Assignee: Bob Paulin >Priority: Major > Attachments: Sample PPT.pptx > > > This is regressed from 1.23 version of Apache Tika. Text extraction for .pptx > ententions which was earlier working with Apache Tika 1.23 is no longer > working in 1.24 version. > For .ppt extention it is working fine in both 1.23 and 1.24 > > As I referred to release notes [https://tika.apache.org/1.24/index.html], you > have updated the POI to 4.1.2. That might be the root cause of this problem. > POI requires [https://mvnrepository.com/artifact/com.zaxxer/SparseBitSet/1.2] > which is not present in bundle I guess. > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3094) Apache Tika fails to extract text for pptx extension.
[ https://issues.apache.org/jira/browse/TIKA-3094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17204502#comment-17204502 ] Abhijit Rajwade commented on TIKA-3094: --- [~tallison] [~bob] [~hudson] I don't know if this issue is resolved. Did this get fixed and if so which Tika version will have this fix? > Apache Tika fails to extract text for pptx extension. > - > > Key: TIKA-3094 > URL: https://issues.apache.org/jira/browse/TIKA-3094 > Project: Tika > Issue Type: Bug >Affects Versions: 1.24, 1.24.1 >Reporter: Abhishek Chauhan >Assignee: Bob Paulin >Priority: Critical > Attachments: Sample PPT.pptx > > > This is regressed from 1.23 version of Apache Tika. Text extraction for .pptx > ententions which was earlier working with Apache Tika 1.23 is no longer > working in 1.24 version. > For .ppt extention it is working fine in both 1.23 and 1.24 > > As I referred to release notes [https://tika.apache.org/1.24/index.html], you > have updated the POI to 4.1.2. That might be the root cause of this problem. > POI requires [https://mvnrepository.com/artifact/com.zaxxer/SparseBitSet/1.2] > which is not present in bundle I guess. > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (TIKA-3616) Upgrade log4j2
[ https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458246#comment-17458246 ] Abhijit Rajwade commented on TIKA-3616: --- What is release date of Version 2.1.1? > Upgrade log4j2 > -- > > Key: TIKA-3616 > URL: https://issues.apache.org/jira/browse/TIKA-3616 > Project: Tika > Issue Type: Task >Reporter: Tim Allison >Priority: Major > Fix For: 2.1.1 > > > RCE...might be difficult to trigger in Tika, but why ask for a PoC... > This only affects 2.x. We were still using the old log4j in 1.x -- This message was sent by Atlassian Jira (v8.20.1#820001)
