SB2017093007 - XML External Entity injection in Apache Tika
Published: September 30, 2017 Updated: August 8, 2020
Security Bulletin ID
SB2017093007
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) XML External Entity injection (CVE-ID: CVE-2016-4434)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
Remediation
Install update from vendor's website.
References
- http://rhn.redhat.com/errata/RHSA-2017-0248.html
- http://rhn.redhat.com/errata/RHSA-2017-0249.html
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
- http://www.securityfocus.com/archive/1/538500/100/0/threaded
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E