tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aman Mishra (Jira)" <j...@apache.org>
Subject [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Date Mon, 30 Dec 2019 12:12:00 GMT
Aman Mishra created TIKA-3019:
---------------------------------

             Summary: [9.8] [CVE-2019-17571] [tika-app] [1.23]
                 Key: TIKA-3019
                 URL: https://issues.apache.org/jira/browse/TIKA-3019
             Project: Tika
          Issue Type: Bug
          Components: tika-batch
    Affects Versions: 1.23
            Reporter: Aman Mishra


*Description :*
*Severity :* Sonatype CVSS 3: 9.8CVE CVSS 2.0: 0.0

*Weakness :* Sonatype CWE: 502

*Source :* National Vulnerability Database

*Categories :* Data

*Description from CVE :* Included in Log4j 1.2 is a SocketServer class that is vulnerable
to deserialization of untrusted data which can be exploited to remotely execute arbitrary
code when combined with a deserialization gadget when listening to untrusted network traffic
for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

*Explanation :* The log4j:log4j package is vulnerable to Remote Code Execution [RCE] due
to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods
in SocketServer.class do not verify if the file at a given file path contains any untrusted
objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing
a path to crafted files, which result in arbitrary code execution when deserialized.
NOTE: Starting with version[s] 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core.
A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645,
in versions up to but excluding 2.8.2.

*Detection :* The application is vulnerable by using this component.

*Recommendation :* Starting with version[s] 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core.
A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645,
in versions up to but excluding 2.8.2. Therefore,it is recommended to upgrade to org.apache.logging.log4j:log4j-core
version[s] 2.8.2 and above. For log4j:log4j 1.x versions however, a fix does not exist.

*Root Cause :* tika-app-1.23.jarorg/apache/log4j/net/SocketServer.class : [,]

*Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=1785616]

*CVSS Details :* Sonatype CVSS 3: 9.8CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message