===================================================================                                 CERT-Renater

                     Note d'Information No. 2022/VULN222

_____________________________________________________________________

DATE                : 29/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tika versions prior to
                                   1.28.4, 2.4.1.

====================================================================https://lists.apache.org/thread/wfno8mf5nlcvbs78z93q9thgrm30wwfh
_____________________________________________________________________

CVE-2022-33879: Apache Tika: Incomplete fix and new regex DoS in
StandardsExtractingContentHandler

Severity: low

Description:

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in
the StandardsExtractingContentHandler were insufficient, and we found
a separate, new regex DoS in a different regex in the
StandardsExtractingContentHandler. These are now fixed in 1.28.4 and
2.4.1.


Credit:

This incomplete fix was discovered and reported by the CodeQL team
member [@atorralba (Tony Torralba)](https://github.com/atorralba)
and [@jarlob (Jaroslav Lobačevski)](https://github.com/jarlob)
from Github Security Lab.  The new ReDos was discovered by the
Apache Tika team


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================