[CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser

Tim Allison
CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
Potential Infinite Loop in IptcAnpaParser

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Tika 1.2 to 1.18

Description:
A carefully crafted file can trigger an infinite loop in Apache Tika's
IptcAnpaParser.

Mitigation:
Apache Tika users should upgrade to 1.19 or later.

Credit:
This issue was discovered by Tobias Ospelt of modzero AG.
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser

Tim Allison
All,
  I got the credit wrong for this issue.  Rohan Padhye first
identified this vulnerability to the Tika team.  Tobias Ospelt
independently discovered it slightly later.

Credit:
This issue was discovered independently using JQF
(https://github.com/rohanpadhye/jqf), first by Rohan Padhye at the
University of California,
Berkeley and later by Tobias Ospelt of modzero AG.

On Wed, Sep 19, 2018 at 8:49 AM Tim Allison <[hidden email]> wrote:

>
> CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
> Potential Infinite Loop in IptcAnpaParser
>
> Severity: Medium
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Tika 1.2 to 1.18
>
> Description:
> A carefully crafted file can trigger an infinite loop in Apache Tika's
> IptcAnpaParser.
>
> Mitigation:
> Apache Tika users should upgrade to 1.19 or later.
>
> Credit:
> This issue was discovered by Tobias Ospelt of modzero AG.