Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-2716

Sonatype Nexus auditor is reporting that spring framework vesrion used by Tika 1.18 is vulnerable

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 1.18
    • Fix Version/s: 2.0, 1.19
    • Component/s: core
    • Labels:
      None

      Description

      Sonatype Nexus auditor is reporting that spring framework version used by Apache Tika 1.18 is vulnerable. Recommendation is to upgrade to a non vulnerable version of Spring framework - 4.3.15/later or 5.0.5/later
       
      Refer following details
       
      Issue CVE-2018-1270
       
      Source National Vulnerability Database
       
      Severity
      CVE CVSS 3.0: 9.8
      CVE CVSS 2.0: 7.5
      Sonatype CVSS 3.0: 9.8
       
      Weakness
      CVE CWE: 358
       
      Description from CVE
      Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
      Explanation
      The Spring Framework spring-messaging module is vulnerable to Remote Code Execution (RCE). The getMethods() method in the ReflectiveMethodResolver class, the canWrite method in the ReflectivePropertyAccessor class, and the filterSubscriptions() method in the DefaultSubscriptionRegistry class do not properly restrict SpEL expression evaluation. A remote attacker can exploit this vulnerability by crafting a request to an exposed STOMP endpoint and injecting a malicious payload into the selector header. The application would then execute the payload via a call to expression.getValue() whenever a new message is sent to the broker.
       
      Detection
      The application is vulnerable by using this component.
       
      Recommendation
      We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
      Categories
      Data
      Root Cause
      tika-app-1.18.jar <= ReflectivePropertyAccessor.class : [3.0.0.RELEASE , 4.3.15.RELEASE)
      tika-app-1.18.jar <= ReflectiveMethodResolver.class : [3.0.0.RELEASE , 4.3.15.RELEASE)
       
      Advisories
      Attack: http://www.polaris-lab.com/index.php/archives/501/
      Attack: https://chybeta.github.io/2018/04/07/spring-messaging-Remote...
      Project: https://jira.spring.io/browse/SPR-16588
       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                grossws Konstantin Gribov
                Reporter:
                arajwade Abhijit Rajwade
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: