tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konstantin Gribov (Jira)" <j...@apache.org>
Subject [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
Date Sat, 11 Jan 2020 20:39:00 GMT

     [ https://issues.apache.org/jira/browse/TIKA-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Konstantin Gribov resolved TIKA-3018.
-------------------------------------
    Resolution: Duplicate

> log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
> --------------------------------------------------------------------------
>
>                 Key: TIKA-3018
>                 URL: https://issues.apache.org/jira/browse/TIKA-3018
>             Project: Tika
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.23
>            Reporter: Abhijit Rajwade
>            Priority: Major
>
> Sonatype Nexus auditor is reporting following log4j related security issue on Apache
Tika 1.23.
> Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above.
Can you please check if Apache Tika vulnerable and if so upgrade based on the recommendation?
> Description
> Description from CVE
>     Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization
of untrusted data which can be exploited to remotely execute arbitrary code when combined
with a deserialization gadget when listening to untrusted network traffic for log data. This
affects Log4j versions up to 1.2 up to 1.2.17. 
> Explanation
>     The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization
of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class
do not verify if the file at a given file path contains any untrusted objects prior to deserializing
them. A remote attacker can exploit this vulnerability by providing a path to crafted files,
which result in arbitrary code execution when deserialized.
>     NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core.
A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645,
in versions up to but excluding 2.8.2.
> Detection
>     The application is vulnerable by using this component.
> Recommendation
>     Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core.
A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645,
in versions up to but excluding 2.8.2. Therefore, it is recommended to upgrade to org.apache.logging.log4j:log4j-core
version(s) 2.8.2 and above. For log4j:log4j 1.x versions however, a fix does not exist.
> Root Cause
>     tika-app-1.23.jar <= org/apache/log4j/net/SocketServer.class : (,) 
> Advisories
>     Project: https://issues.apache.org/jira/browse/LOG4J2-1863
>     Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d…
>     Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616 
> CVSS Details
>     Sonatype CVSS 3: 9.8
>     CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message