#VU34420 Memory leak in Apache Tika - CVE-2020-9489

Cybersecurity Help s.r.o.

Published: 2020-04-27 | Updated: 2020-08-08

Vulnerability identifier: #VU34420

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9489

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Tika
Server applications / Other server solutions

Vendor: Apache Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Apache Tika: 1.24

External links
https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5a07186cfa2442c%40%3Cdev.tika.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle WebCenter Portal

Multiple vulnerabilities in Oracle FLEXCUBE Private Banking

Multiple vulnerabilities in Primavera Unifier

Memory leak in Oracle Communications Messaging Server

Memory leak in Apache Tika