Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

Mostafa Salah
On 2019/12/26 10:44:00, "Abhijit Rajwade (Jira)" <[hidden email]> wrote:
>
>     [
https://issues.apache.org/jira/browse/TIKA-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17003573#comment-17003573
] >
>
> Abhijit Rajwade commented on TIKA-3018:>
> --------------------------------------->
>
> Issue is reported on org.apache.tika : tika-app : 1.23>
>
> > log4j 1.2 version used by Apache Tika 1.23 is vulnerable to
CVE-2019-17571>
> >
-------------------------------------------------------------------------->

> >>
> >                 Key: TIKA-3018>
> >                 URL: https://issues.apache.org/jira/browse/TIKA-3018>
> >             Project: Tika>
> >          Issue Type: Bug>
> >          Components: core>
> >    Affects Versions: 1.23>
> >            Reporter: Abhijit Rajwade>
> >            Priority: Major>
> >>
> > Sonatype Nexus auditor is reporting following log4j related security
issue on Apache Tika 1.23.>
> > Recommendation is to use org.apache.logging.log4j:log4j-core version(s)
2.8.2 and above. Can you please check if Apache Tika vulnerable and if so
upgrade based on the recommendation?>
> > Description>
> > Description from CVE>
> >     Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget when
listening to untrusted network traffic for log data. This affects Log4j
versions up to 1.2 up to 1.2.17. >
> > Explanation>
> >     The log4j:log4j package is vulnerable to Remote Code Execution
(RCE) due to Deserialization of Untrusted Data. The configureHierarchy and
genericHierarchy methods in SocketServer.class do not verify if the file at
a given file path contains any untrusted objects prior to deserializing
them. A remote attacker can exploit this vulnerability by providing a path
to crafted files, which result in arbitrary code execution when
deserialized.>
> >     NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to
org.apache.logging.log4j:log4j-core. A variation of this vulnerability
exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions
up to but excluding 2.8.2.>
> > Detection>
> >     The application is vulnerable by using this component.>
> > Recommendation>
> >     Starting with version(s) 2.x, log4j:log4j was relocated to
org.apache.logging.log4j:log4j-core. A variation of this vulnerability
exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions
up to but excluding 2.8.2. Therefore, it is recommended to upgrade to
org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For
log4j:log4j 1.x versions however, a fix does not exist.>
> > Root Cause>
> >     tika-app-1.23.jar <= org/apache/log4j/net/SocketServer.class : (,)
>
> > Advisories>
> >     Project: https://issues.apache.org/jira/browse/LOG4J2-1863>
> >     Project:
https://lists.apache.org/thread.html/84cc4266238e057b95eb95d…>

> >     Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616 >
> > CVSS Details>
> >     Sonatype CVSS 3: 9.8>
> >     CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H >
>
>
>
> -->
> This message was sent by Atlassian Jira>
> (v8.3.4#803005)>
>