Abhijit Rajwade created TIKA-2499:
-------------------------------------
Summary: Sonatype Nexus Auditor is reporting that Tika 1.13 is
using a number of vulnerable Third party components.
Key: TIKA-2499
URL: https://issues.apache.org/jira/browse/TIKA-2499
Project: Tika
Issue Type: Bug
Affects Versions: 1.13
Reporter: Abhijit Rajwade
Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of
vulnerable Third party components.
Sr No Vulnerability ID Description from Nexus Auditor Vulnerable
Third party component Fixed Third party component
1 SONATYPE-2017-0355 Source Sonatype Data Research
Severity Sonatype CVSS 3.0: 7.5
Weakness Sonatype CWE: 20
Explanation
jackson-core is vulnerable to Denial of Service (DoS). The
_reportInvalidToken() function in the UTF8StreamJsonParser and
ReaderBasedJsonParser classes allows large amounts of extraneous data to be
printed to the server log. An attacker can exploit this vulnerability by
crafting a POST request containing large amounts of data. When the data
contains invalid JSON, an exception is thrown, which results in the consumption
of available disk space when the error message is written to server.log along
with the request data.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
Root Cause
tika-app-1.13.jar <= ReaderBasedJsonParser.class : [2.0.0-RC1, 2.8.6)
tika-app-1.13.jar <= UTF8StreamJsonParser.class : [2.0.0-RC1, 2.8.6)
Advisories
Attack: https://issues.jboss.org/browse/JBEAP-6316
Project: https://github.com/FasterXML/jackson-core/pull/322
Jackson
Fixed version: Jackson 2.8.6 or later
2 SONATYPE-2017-0359 Source Sonatype Data Research
Severity Sonatype CVSS 3.0: 7.5
Weakness Sonatype CWE: 22
Explanation
The Apache httpcomponents component is vulnerable to Directory Traversal. The
normalizePath() function in the URIBuilder class allows directory traversal
characters such as ../. An attacker can exploit this vulnerability by sending a
specially crafted request containing this sequence in the URL path, allowing
the attacker to traverse beyond the allowed directory and retrieve the contents
of arbitrary files from the server, leading to information disclosure.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
Root Cause
tika-app-1.13.jar <= URIBuilder.class : [4.2.1-RC1, 4.5.3)
Advisories
Project: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
Apache httpcomponents
Fixed Version: Apache httpcomponents 4.5.3 or later
3 CVE-2017-12620 Issue CVE-2017-12620
Source National Vulnerability Database
Severity Sonatype CVSS 3.0: 7.3
Weakness Sonatype CWE: 611
Description from CVE
When loading models or dictionaries that contain XML it is possible to perform
an XXE attack, since Apache OpenNLP is a library, this only affects
applications that load models or dictionaries from untrusted sources. The
versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache
OpenNLP are affected.
Explanation
Apache OpenNLP is vulnerable to XML External Entity (XXE) attack. The
constructor in the ConstitParseSampleStream class, createDOM() function in the
GeneratorFactory class, and the parse() function in the
IrishSentenceBankDocument and LetsmtDocument classes allows unsafe external
entities when processing XML data from models and dictionaries. A remote
attacker can exploit this by submitting specially crafted XML, which can
potentially lead to Denial of Service, Information Disclosure, or other attacks.
Advisory Deviation Notice
The Sonatype security research team discovered that the vulnerability is
present in version 1.5.2-incubating-rc1 until 1.8.2, not in all the versions
from 1.5.0 till 1.8.2 as the advisory states.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
Root Cause
tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <=
ConstitParseSampleStream.class : [1.5.3-rc1, 1.7.1)
tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= GeneratorFactory.class :
[1.5.3-rc1, 1.7.1)
Advisories
Project: http://opennlp.apache.org/news/cve-2017-12620.html
Close
Apache OpenNLP
Fixed version: Apache OpenNLP 1.8.2 or later
4 SONATYPE-2016-0398 Source Sonatype Data Research
Severity Sonatype CVSS 3.0: 7.5
Weakness Sonatype CWE: 22
Explanation
Plexus Utils is vulnerable to Directory Traversal. The extractFile() function
in the Expand class allows directory traversal characters such as ../ via the
entryName parameter. An attacker can exploit this vulnerability by sending a
specially crafted request containing this sequence in the URL path, allowing
the attacker to traverse beyond the allowed directory and retrieve the contents
of arbitrary files from the server, leading to information disclosure.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Categories
Data
Root Cause
tika-app-1.13.jar <= Expand.class : ( , 3.0.24)
Advisories
Third Party: https://github.com/sonatype/plexus-utils/issues/20
Plexus Utils
Fixed version: Most likely Plexus Utils 3.0.24 or later
Can we please have Apach Tika release an updated version that uses the fixed
Third party components?
Thx & Regards.
--- Abhijit Rajwade
BMC Software
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
