==================================================================== CERT-Renater Note d'Information No. 2018/VULN290 _____________________________________________________________________ DATE : 20/09/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tika versions prior to 1.19. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/201809.mbox/%3cCAC1dCwVOEYsB1c4s2DYkhsafT8q3Fupt_OFugXj9J1RCZuf3UQ@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/www-announce/201809.mbox/%3cCAC1dCwVx2Z1haCnvYBhH7nQRN4kYKjwkLfjsCbeFHv2tRcBonA@mail.gmail.com%3e http://mail-archives.apache.org/mod_mbox/www-announce/201809.mbox/%3cCAC1dCwV2-kTJKjNO1rV65bQrekkur7OWAu1x+pPRToRRYk=GPA@mail.gmail.com%3e _____________________________________________________________________ CVE-2018-8017: Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Tika 1.2 to 1.18 Description: A carefully crafted file can trigger an infinite loop in Apache Tika's IptcAnpaParser. Mitigation: Apache Tika users should upgrade to 1.19 or later. Credit: This issue was discovered by Tobias Ospelt of modzero AG. _____________________________________________________________________ CVE-2018-11761: Apache Tika Denial of Service via XML Entity Expansion Vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Tika 0.1 to 1.18 Description: Apache Tika's XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. Mitigation: Apache Tika users should upgrade to 1.19 or later Credit: This issue was discovered by Renfei (Brian) Wang of Amazon. _____________________________________________________________________ CVE-2018-11762: Zip Slip Vulnerability in Apache Tika's tika-app Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tika 0.9 to 1.18 Description: In a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file. Mitigation: Apache Tika users should upgrade to 1.19 or later Credit: This issue was discovered by Tim Allison on the Apache Tika team. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================