[SECURITY] Nutch 2.3.1 affected by downstream dependency CVE-2016-6809

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[SECURITY] Nutch 2.3.1 affected by downstream dependency CVE-2016-6809

lewis john mcgibbney-2
Title: Nutch 2.3.1 affected by downstream dependency CVE-2016-6809 

Vulnerable Versions: 2.3.1 (1.16 is not vulnerable) 

Disclosure date: 2018-10-22 

Credit: Pierre Ernst, Salesforce 

Summary: Remote Code Execution in Apache Nutch 2.3.1 when crawling web site containing malicious content 

Description: The reporter found an RCE security vulnerability in Nutch 2.3.1 when crawling a web site that links a doctored Matlab file. This was due to unsafe deserialization of user generated content. The root cause is 2 outdated 3rd party dependencies: 1. Apache Tika version 1.10 (CVE-2016-6809) 2. Apache Commons Collections 4 version 4.0 (COLLECTIONS-580) Upgrading these 2 dependencies to the latest version will fix the issue. 

Resolution: The Apache Nutch Project Management Committee released Apache Nutch 2.4 on 2019-10-11 (https://s.apache.org/uw8i3). All users of the 2.X branch should upgrade to this version immediately. In addition, note that we expect that v2.4 is the last release on the 2.x series. The Nutch PMC decided to freeze the development on the 2.x branch for now, as no committers are actively working on it. See the above hyperlink for more information on upgrading and the 2.x retirement decision. 

Contact: either dev[at] or private[at]nutch[dot]apache[dot]org depending on the nature of your contact. 

Regards lewismc 
(On behalf of the Apache Nutch PMC)