[jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

Thu, 26 Dec 2019 02:25:50 -0800 

Abhijit Rajwade created TIKA-3018:
-------------------------------------

             Summary: log4j 1.2 version used by Apache Tika 1.23 is vulnerable 
to CVE-2019-17571
                 Key: TIKA-3018
                 URL: https://issues.apache.org/jira/browse/TIKA-3018
             Project: Tika
          Issue Type: Bug
          Components: core
    Affects Versions: 1.23
            Reporter: Abhijit Rajwade


Sonatype Nexus auditor is reporting following log4j related security issue on 
Apache Tika 1.23.

Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 
and above. Can you please check if Apache Tika vulnerable and if so upgrade 
based on the recommendation?

Description

Description from CVE
    Included in Log4j 1.2 is a SocketServer class that is vulnerable to 
deserialization of untrusted data which can be exploited to remotely execute 
arbitrary code when combined with a deserialization gadget when listening to 
untrusted network traffic for log data. This affects Log4j versions up to 1.2 
up to 1.2.17. 

Explanation

    The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to 
Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy 
methods in SocketServer.class do not verify if the file at a given file path 
contains any untrusted objects prior to deserializing them. A remote attacker 
can exploit this vulnerability by providing a path to crafted files, which 
result in arbitrary code execution when deserialized.

    NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to 
org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists 
in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but 
excluding 2.8.2.
Detection

    The application is vulnerable by using this component.

Recommendation

    Starting with version(s) 2.x, log4j:log4j was relocated to 
org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists 
in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but 
excluding 2.8.2. Therefore, it is recommended to upgrade to 
org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For log4j:log4j 
1.x versions however, a fix does not exist.
Root Cause
    tika-app-1.23.jar <= org/apache/log4j/net/SocketServer.class : (,) 

Advisories
    Project: https://issues.apache.org/jira/browse/LOG4J2-1863
    Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d…
    Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616 

CVSS Details
    Sonatype CVSS 3: 9.8
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 





--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to