Abhijit Rajwade created TIKA-2499: ------------------------------------- Summary: Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components. Key: TIKA-2499 URL: https://issues.apache.org/jira/browse/TIKA-2499 Project: Tika Issue Type: Bug Affects Versions: 1.13 Reporter: Abhijit Rajwade
Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components. Sr No Vulnerability ID Description from Nexus Auditor Vulnerable Third party component Fixed Third party component 1 SONATYPE-2017-0355 Source Sonatype Data Research Severity Sonatype CVSS 3.0: 7.5 Weakness Sonatype CWE: 20 Explanation jackson-core is vulnerable to Denial of Service (DoS). The _reportInvalidToken() function in the UTF8StreamJsonParser and ReaderBasedJsonParser classes allows large amounts of extraneous data to be printed to the server log. An attacker can exploit this vulnerability by crafting a POST request containing large amounts of data. When the data contains invalid JSON, an exception is thrown, which results in the consumption of available disk space when the error message is written to server.log along with the request data. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause tika-app-1.13.jar <= ReaderBasedJsonParser.class : [2.0.0-RC1, 2.8.6) tika-app-1.13.jar <= UTF8StreamJsonParser.class : [2.0.0-RC1, 2.8.6) Advisories Attack: https://issues.jboss.org/browse/JBEAP-6316 Project: https://github.com/FasterXML/jackson-core/pull/322 Jackson Fixed version: Jackson 2.8.6 or later 2 SONATYPE-2017-0359 Source Sonatype Data Research Severity Sonatype CVSS 3.0: 7.5 Weakness Sonatype CWE: 22 Explanation The Apache httpcomponents component is vulnerable to Directory Traversal. The normalizePath() function in the URIBuilder class allows directory traversal characters such as ../. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause tika-app-1.13.jar <= URIBuilder.class : [4.2.1-RC1, 4.5.3) Advisories Project: https://issues.apache.org/jira/browse/HTTPCLIENT-1803 Apache httpcomponents Fixed Version: Apache httpcomponents 4.5.3 or later 3 CVE-2017-12620 Issue CVE-2017-12620 Source National Vulnerability Database Severity Sonatype CVSS 3.0: 7.3 Weakness Sonatype CWE: 611 Description from CVE When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected. Explanation Apache OpenNLP is vulnerable to XML External Entity (XXE) attack. The constructor in the ConstitParseSampleStream class, createDOM() function in the GeneratorFactory class, and the parse() function in the IrishSentenceBankDocument and LetsmtDocument classes allows unsafe external entities when processing XML data from models and dictionaries. A remote attacker can exploit this by submitting specially crafted XML, which can potentially lead to Denial of Service, Information Disclosure, or other attacks. Advisory Deviation Notice The Sonatype security research team discovered that the vulnerability is present in version 1.5.2-incubating-rc1 until 1.8.2, not in all the versions from 1.5.0 till 1.8.2 as the advisory states. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= ConstitParseSampleStream.class : [1.5.3-rc1, 1.7.1) tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= GeneratorFactory.class : [1.5.3-rc1, 1.7.1) Advisories Project: http://opennlp.apache.org/news/cve-2017-12620.html Close Apache OpenNLP Fixed version: Apache OpenNLP 1.8.2 or later 4 SONATYPE-2016-0398 Source Sonatype Data Research Severity Sonatype CVSS 3.0: 7.5 Weakness Sonatype CWE: 22 Explanation Plexus Utils is vulnerable to Directory Traversal. The extractFile() function in the Expand class allows directory traversal characters such as ../ via the entryName parameter. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data Root Cause tika-app-1.13.jar <= Expand.class : ( , 3.0.24) Advisories Third Party: https://github.com/sonatype/plexus-utils/issues/20 Plexus Utils Fixed version: Most likely Plexus Utils 3.0.24 or later Can we please have Apach Tika release an updated version that uses the fixed Third party components? Thx & Regards. --- Abhijit Rajwade BMC Software -- This message was sent by Atlassian JIRA (v6.4.14#64029)