====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN222
_____________________________________________________________________

DATE                : 27/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tika versions 1.24.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202004.mbox/%3cCAC1dCwUOZpgORGC2uT4PvZ81yv7HNyFggp9NLtNUyB-uX=ThLA@mail.gmail.com%3e
_____________________________________________________________________

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Apache Tika 1.24

Description:
A carefully crafted or corrupt file may trigger a System.exit in Tika's
OneNote Parser. Crafted or corrupted files can also cause out of memory
errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser,
SAS7BDATParser, OneNoteParser and ImageParser.


Mitigation:
Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities
in the MP4Parser were partially fixed by upgrading the
com.googlecode:isoparser:1.1.22 dependency to
org.tallison:isoparser:1.9.41.2.

For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as
part of the 1.24.1 release.

We also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to
1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0
and mockito to 3.3.3 as part of the 1.24.1 release.


Credit:

These vulnerabilities were discovered by Tim Allison on the Apache Tika
team.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================