[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAC1dCwUfCG9Vo8UhBzE1U7EgedjaVuDqQ3qYpXn0mFv8DXYT0Q@mail.gmail.com>
Date: Tue, 9 Oct 2018 16:05:18 -0400
From: Tim Allison <tallison@...che.org>
To: announce@...che.org, dev@...a.apache.org, user@...a.apache.org,
Apache Security Team <security@...che.org>, oss-security@...ts.openwall.com
Subject: [CVE-2018-11796] Apache Tika Denial of Service via XML Entity
Expansion Vulnerability
CVE-2018-11796: Apache Tika Denial of Service via XML Entity Expansion
Vulnerability
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.1 to 1.19
Description:
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion
limit for XML parsing. However, Tika reuses SAXParsers and calls
reset() after each parse, which, for Xerces2 parsers, as per the
documentation, removes the user-specified SecurityManager and
thus removes entity expansion limits after the first parse.
Apache Tika 1.19 is therefore still vulnerable to entity
expansions which can lead to a denial of service attack.
Mitigation:
Apache Tika users should upgrade to 1.19.1 or later
Credit:
This issue was discovered by Slava Gorelik of CloudAlly.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
