[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Pars
From: Tim Allison <tallison () apache ! org>
Date: 2020-04-24 16:19:48
Message-ID: CAC1dCwUOZpgORGC2uT4PvZ81yv7HNyFggp9NLtNUyB-uX=ThLA () mail ! gmail ! com
[Download RAW message or body]
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: Apache Tika 1.24
Description:
A carefully crafted or corrupt file may trigger a System.exit in Tika's
OneNote Parser. Crafted or corrupted files can also cause out of memory
errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser,
SAS7BDATParser, OneNoteParser and ImageParser.
Mitigation:
Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in
the MP4Parser were partially fixed by upgrading the
com.googlecode:isoparser:1.1.22 dependency to
org.tallison:isoparser:1.9.41.2.
For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part
of the 1.24.1 release.
We also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to
1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 and
mockito to 3.3.3 as part of the 1.24.1 release.
Credit:
These vulnerabilities were discovered by Tim Allison on the Apache Tika
team.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic