[jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
[ https://issues.apache.org/jira/browse/TIKA-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Konstantin Gribov closed TIKA-3018. --- > log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 > -- > > Key: TIKA-3018 > URL: https://issues.apache.org/jira/browse/TIKA-3018 > Project: Tika > Issue Type: Bug > Components: core >Affects Versions: 1.23 >Reporter: Abhijit Rajwade >Priority: Major > > Sonatype Nexus auditor is reporting following log4j related security issue on > Apache Tika 1.23. > Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 > and above. Can you please check if Apache Tika vulnerable and if so upgrade > based on the recommendation? > Description > Description from CVE > Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely execute > arbitrary code when combined with a deserialization gadget when listening to > untrusted network traffic for log data. This affects Log4j versions up to 1.2 > up to 1.2.17. > Explanation > The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due > to Deserialization of Untrusted Data. The configureHierarchy and > genericHierarchy methods in SocketServer.class do not verify if the file at a > given file path contains any untrusted objects prior to deserializing them. A > remote attacker can exploit this vulnerability by providing a path to crafted > files, which result in arbitrary code execution when deserialized. > NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to > org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists > in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to > but excluding 2.8.2. > Detection > The application is vulnerable by using this component. > Recommendation > Starting with version(s) 2.x, log4j:log4j was relocated to > org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists > in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to > but excluding 2.8.2. Therefore, it is recommended to upgrade to > org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For > log4j:log4j 1.x versions however, a fix does not exist. > Root Cause > tika-app-1.23.jar <= org/apache/log4j/net/SocketServer.class : (,) > Advisories > Project: https://issues.apache.org/jira/browse/LOG4J2-1863 > Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d… > Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616 > CVSS Details > Sonatype CVSS 3: 9.8 > CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
[ https://issues.apache.org/jira/browse/TIKA-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Konstantin Gribov resolved TIKA-3018. - Resolution: Duplicate > log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571 > -- > > Key: TIKA-3018 > URL: https://issues.apache.org/jira/browse/TIKA-3018 > Project: Tika > Issue Type: Bug > Components: core >Affects Versions: 1.23 >Reporter: Abhijit Rajwade >Priority: Major > > Sonatype Nexus auditor is reporting following log4j related security issue on > Apache Tika 1.23. > Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 > and above. Can you please check if Apache Tika vulnerable and if so upgrade > based on the recommendation? > Description > Description from CVE > Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely execute > arbitrary code when combined with a deserialization gadget when listening to > untrusted network traffic for log data. This affects Log4j versions up to 1.2 > up to 1.2.17. > Explanation > The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due > to Deserialization of Untrusted Data. The configureHierarchy and > genericHierarchy methods in SocketServer.class do not verify if the file at a > given file path contains any untrusted objects prior to deserializing them. A > remote attacker can exploit this vulnerability by providing a path to crafted > files, which result in arbitrary code execution when deserialized. > NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to > org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists > in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to > but excluding 2.8.2. > Detection > The application is vulnerable by using this component. > Recommendation > Starting with version(s) 2.x, log4j:log4j was relocated to > org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists > in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to > but excluding 2.8.2. Therefore, it is recommended to upgrade to > org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For > log4j:log4j 1.x versions however, a fix does not exist. > Root Cause > tika-app-1.23.jar <= org/apache/log4j/net/SocketServer.class : (,) > Advisories > Project: https://issues.apache.org/jira/browse/LOG4J2-1863 > Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d… > Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616 > CVSS Details > Sonatype CVSS 3: 9.8 > CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -- This message was sent by Atlassian Jira (v8.3.4#803005)
Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
On 2019/12/26 10:44:00, "Abhijit Rajwade (Jira)" wrote: > > [ https://issues.apache.org/jira/browse/TIKA-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17003573#comment-17003573 ] > > > Abhijit Rajwade commented on TIKA-3018:> > ---> > > Issue is reported on org.apache.tika : tika-app : 1.23> > > > log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571> > > --> > >> > > Key: TIKA-3018> > > URL: https://issues.apache.org/jira/browse/TIKA-3018> > > Project: Tika> > > Issue Type: Bug> > > Components: core> > >Affects Versions: 1.23> > >Reporter: Abhijit Rajwade> > >Priority: Major> > >> > > Sonatype Nexus auditor is reporting following log4j related security issue on Apache Tika 1.23.> > > Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. Can you please check if Apache Tika vulnerable and if so upgrade based on the recommendation?> > > Description> > > Description from CVE> > > Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. > > > Explanation> > > The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class do not verify if the file at a given file path contains any untrusted objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing a path to crafted files, which result in arbitrary code execution when deserialized.> > > NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2.> > > Detection> > > The application is vulnerable by using this component.> > > Recommendation> > > Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2. Therefore, it is recommended to upgrade to org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For log4j:log4j 1.x versions however, a fix does not exist.> > > Root Cause> > > tika-app-1.23.jar <= org/apache/log4j/net/SocketServer.class : (,) > > > Advisories> > > Project: https://issues.apache.org/jira/browse/LOG4J2-1863> > > Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d…> > > Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616 > > > CVSS Details> > > Sonatype CVSS 3: 9.8> > > CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H > > > > > --> > This message was sent by Atlassian Jira> > (v8.3.4#803005)> >