Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-2716

Sonatype Nexus auditor is reporting that spring framework vesrion used by Tika 1.18 is vulnerable

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Won't Fix
    • 1.18
    • 1.19, 2.0.0
    • core
    • None

    Description

      Sonatype Nexus auditor is reporting that spring framework version used by Apache Tika 1.18 is vulnerable. Recommendation is to upgrade to a non vulnerable version of Spring framework - 4.3.15/later or 5.0.5/later
       
      Refer following details
       
      Issue CVE-2018-1270
       
      Source National Vulnerability Database
       
      Severity
      CVE CVSS 3.0: 9.8
      CVE CVSS 2.0: 7.5
      Sonatype CVSS 3.0: 9.8
       
      Weakness
      CVE CWE: 358
       
      Description from CVE
      Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
      Explanation
      The Spring Framework spring-messaging module is vulnerable to Remote Code Execution (RCE). The getMethods() method in the ReflectiveMethodResolver class, the canWrite method in the ReflectivePropertyAccessor class, and the filterSubscriptions() method in the DefaultSubscriptionRegistry class do not properly restrict SpEL expression evaluation. A remote attacker can exploit this vulnerability by crafting a request to an exposed STOMP endpoint and injecting a malicious payload into the selector header. The application would then execute the payload via a call to expression.getValue() whenever a new message is sent to the broker.
       
      Detection
      The application is vulnerable by using this component.
       
      Recommendation
      We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
      Categories
      Data
      Root Cause
      tika-app-1.18.jar <= ReflectivePropertyAccessor.class : [3.0.0.RELEASE , 4.3.15.RELEASE)
      tika-app-1.18.jar <= ReflectiveMethodResolver.class : [3.0.0.RELEASE , 4.3.15.RELEASE)
       
      Advisories
      Attack: http://www.polaris-lab.com/index.php/archives/501/
      Attack: https://chybeta.github.io/2018/04/07/spring-messaging-Remote...
      Project: https://jira.spring.io/browse/SPR-16588
       

      Attachments

        Issue Links

          is superceded by

          Bug - A problem which impairs or prevents the functions of the product. TIKA-2721 Exclude Spring (transitive dependency) from tika-parsers

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              grossws Konstantin Gribov
              arajwade Abhijit Rajwade
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: