[SECURITY] Nutch 2.3.1 affected by downstream dependency CVE-2016-6809
Title: Nutch 2.3.1 affected by downstream dependency CVE-2016-6809
Vulnerable Versions: 2.3.1 (1.16 is not vulnerable)
Disclosure date: 2018-10-22
Credit: Pierre Ernst, Salesforce
Summary: Remote Code Execution in Apache Nutch 2.3.1 when crawling web site containing malicious content
Description: The reporter found an RCE security vulnerability in Nutch 2.3.1 when crawling a web site that links a doctored Matlab file. This was due to unsafe deserialization of user generated content. The root cause is 2 outdated 3rd party dependencies: 1. Apache Tika version 1.10 (CVE-2016-6809) 2. Apache Commons Collections 4 version 4.0 (COLLECTIONS-580) Upgrading these 2 dependencies to the latest version will fix the issue.
Resolution: The Apache Nutch Project Management Committee released Apache Nutch 2.4 on 2019-10-11 (https://s.apache.org/uw8i3). All users of the 2.X branch should upgrade to this version immediately. In addition, note that we expect that v2.4 is the last release on the 2.x series. The Nutch PMC decided to freeze the development on the 2.x branch for now, as no committers are actively working on it. See the above hyperlink for more information on upgrading and the 2.x retirement decision.
Contact: either dev[at] or private[at]nutch[dot]apache[dot]org depending on the nature of your contact.