oss-sec mailing list archives
[CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers
From: Tim Allison <tallison () apache org>
Date: Fri, 24 Apr 2020 12:19:48 -0400
Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Tika 1.24 Description: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Mitigation: Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. We also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to 1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 and mockito to 3.3.3 as part of the 1.24.1 release. Credit: These vulnerabilities were discovered by Tim Allison on the Apache Tika team.
Current thread:
- [CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers Tim Allison (Apr 24)