Bug 1144510 - (CVE-2019-10093) VUL-0: CVE-2019-10093: tika-core: Denial of Service in Apache Tika's 2003ml and 2006ml Parsers
(CVE-2019-10093)
VUL-0: CVE-2019-10093: tika-core: Denial of Service in Apache Tika's 2003ml a...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Joao Cavalheiro
Security Team bot
https://smash.suse.de/issue/238790/
CVSSv3:SUSE:CVE-2019-10093:5.5:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-06 13:18 UTC by Wolfgang Frisch
Modified: 2021-02-11 15:52 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-08-06 13:18:11 UTC
CVE-2019-10093

In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could
consume all available SAXParsers in the pool and lead to very long hangs. Apache
Tika users should upgrade to 1.22 or later.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10093
http://seclists.org/oss-sec/2019/q3/111
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093
https://lists.apache.org/thread.html/a5a44eff1b9eda3bc69d22943a1030c43d376380c75d3ab04d0c1a21@%3Cdev.tika.apache.org%3E
Comment 1 Wolfgang Frisch 2019-08-06 13:18:36 UTC
Vulnerable code streams:

SUSE:SLE-12-SP2:Update:Products:Manager31:Update tika-core 1.20
SUSE:SLE-12-SP3:Update:Products:Manager32:Update tika-core 1.20
SUSE:SLE-15-SP1:Update:Products:Manager40:Update tika-core 1.20
Comment 2 Joao Cavalheiro 2019-08-28 10:36:12 UTC
Problem fixed. tika-core upgraded to 1.22.
Will be shipped with next maintenance updates.
Comment 3 Joao Cavalheiro 2019-09-06 11:50:19 UTC
SUSE Manager 3.1 is out of support.
Patches will be included only for 3.2 and 4.0, as well as Uyuni (our upstream project).
Comment 6 Swamp Workflow Management 2019-10-02 16:17:04 UTC
SUSE-RU-2019:2522-1: An update that has 25 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1093381,1096426,1135957,1137229,1138454,1140644,1141661,1142309,1142764,1142774,1142793,1143016,1143562,1144500,1144510,1144515,1144889,1145086,1145119,1146416,1146419,1146869,1146895,1147126,1149409
CVE References: 
Sources used:
SUSE Manager Server 3.2 (src):    release-notes-susemanager-3.2.11-6.41.1
SUSE Manager Proxy 3.2 (src):    release-notes-susemanager-proxy-3.2.11-0.16.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-10-02 16:21:19 UTC
SUSE-SU-2019:2521-1: An update that solves three vulnerabilities and has 21 fixes is now available.

Category: security (moderate)
Bug References: 1093381,1096426,1135957,1137229,1138454,1140644,1141661,1142309,1142764,1142774,1143016,1143562,1144500,1144510,1144515,1144889,1145086,1145119,1146416,1146419,1146869,1146895,1147126,1149409
CVE References: CVE-2019-10088,CVE-2019-10093,CVE-2019-10094
Sources used:
SUSE Manager Server 3.2 (src):    cobbler-2.6.6-6.22.1, pgjdbc-ng-0.7.1-2.6.1, py26-compat-salt-2016.11.10-6.32.1, spacecmd-2.8.25.11-3.23.1, spacewalk-backend-2.8.57.19-3.39.2, spacewalk-branding-2.8.5.16-3.22.1, spacewalk-client-tools-2.8.22.5-3.6.1, spacewalk-java-2.8.78.24-3.38.1, spacewalk-setup-2.8.7.8-3.19.1, spacewalk-utils-2.8.18.5-3.9.1, spacewalk-web-2.8.7.19-3.36.1, susemanager-3.2.20-3.31.2, susemanager-docs_en-3.2-11.32.1, susemanager-schema-3.2.21-3.31.1, susemanager-sls-3.2.27-3.35.1, tika-core-1.22-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-11-08 06:09:43 UTC
SUSE-RU-2019:2917-1: An update that has 61 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1133429,1135442,1136959,1138358,1138454,1142309,1142764,1142774,1143016,1143562,1143789,1144300,1144500,1144510,1144515,1144889,1145086,1145119,1145551,1145587,1145626,1145744,1145750,1145753,1145758,1145769,1145873,1146416,1146419,1146683,1146869,1148169,1149075,1149210,1149353,1149409,1149425,1149633,1150113,1150154,1150180,1150216,1150314,1150320,1150729,1151097,1151280,1151399,1151467,1151666,1151875,1152170,1152290,1152514,1152735,1153277,1153578,1154275,1155503,1155656,1155794
CVE References: 
Sources used:
SUSE Manager Server 4.0 (src):    release-notes-susemanager-4.0.3-3.29.1
SUSE Manager Retail Branch Server 4.0 (src):    release-notes-susemanager-proxy-4.0.3-0.16.20.1
SUSE Manager Proxy 4.0 (src):    release-notes-susemanager-proxy-4.0.3-0.16.20.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    release-notes-susemanager-4.0.3-3.29.1, release-notes-susemanager-proxy-4.0.3-0.16.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-11-08 06:18:20 UTC
SUSE-SU-2019:2930-1: An update that solves three vulnerabilities and has 56 fixes is now available.

Category: security (moderate)
Bug References: 1133429,1135442,1136959,1138358,1138454,1142309,1142764,1142774,1143016,1143562,1143789,1144300,1144500,1144510,1144515,1144889,1145086,1145119,1145551,1145587,1145626,1145744,1145750,1145753,1145758,1145769,1145873,1146416,1146419,1146683,1146869,1148169,1149075,1149210,1149353,1149409,1149425,1149633,1150113,1150154,1150180,1150314,1150729,1151097,1151280,1151399,1151467,1151481,1151666,1151875,1152170,1152290,1152514,1152735,1153277,1153578,1154275,1155656,1155794
CVE References: CVE-2019-10088,CVE-2019-10093,CVE-2019-10094
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src):    cobbler-3.0.0+git20190806.32c4bae0-7.3.7, cpu-mitigations-formula-0.1-4.6.7, mgr-osad-4.0.10-3.6.8, patterns-suse-manager-4.0-9.3.8, pgjdbc-ng-0.7.1-3.3.8, prometheus-exporters-formula-0.4-3.3.7, pxe-default-image-sle15-4.0.0-20191106084601, py26-compat-salt-2016.11.10-10.8.8, python-susemanager-retail-1.0.1568808472.be9f236-3.6.7, python-urlgrabber-3.10.2.1py2_3-6.22.6, spacecmd-4.0.16-3.6.7, spacewalk-admin-4.0.8-3.3.8, spacewalk-backend-4.0.27-3.13.9, spacewalk-branding-4.0.14-3.6.8, spacewalk-certs-tools-4.0.12-3.6.8, spacewalk-client-tools-4.0.10-3.6.8, spacewalk-config-4.0.13-3.3.7, spacewalk-java-4.0.25-3.10.5, spacewalk-setup-4.0.11-3.6.7, spacewalk-utils-4.0.13-3.6.8, spacewalk-web-4.0.16-3.9.8, susemanager-4.0.17-3.6.9, susemanager-doc-indexes-4.0-10.9.8, susemanager-docs_en-4.0-10.9.7, susemanager-schema-4.0.16-3.8.5, susemanager-sls-4.0.22-3.10.4, susemanager-sync-data-4.0.13-3.6.7, tika-core-1.22-3.3.7, virtual-host-gatherer-1.0.19-3.3.8

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-12-19 23:18:40 UTC
SUSE-RU-2019:3350-1: An update that has 154 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1104949,1109639,1111371,1113160,1116869,1118175,1122559,1130040,1131556,1132076,1133429,1134677,1134708,1134860,1135360,1135380,1135442,1136476,1136480,1136561,1136857,1136959,1137144,1137229,1137244,1137308,1137881,1137882,1137952,1137955,1137965,1138127,1138130,1138268,1138275,1138313,1138358,1138364,1138454,1138586,1138655,1138822,1139453,1139493,1139693,1140644,1141598,1141663,1142038,1142309,1142764,1142774,1143016,1143204,1143562,1143638,1143789,1143856,1144155,1144300,1144500,1144510,1144515,1144889,1145086,1145119,1145551,1145584,1145587,1145591,1145608,1145626,1145744,1145750,1145753,1145755,1145758,1145769,1145873,1146411,1146416,1146419,1146443,1146683,1146869,1147126,1148125,1148169,1148177,1148311,1148352,1148457,1148714,1149075,1149210,1149343,1149353,1149409,1149425,1149633,1149741,1150113,1150154,1150180,1150216,1150314,1150320,1150657,1150729,1151097,1151280,1151399,1151467,1151666,1151875,1151888,1152170,1152290,1152298,1152514,1152722,1152735,1153090,1153181,1153277,1153578,1153613,1154275,1154474,1154586,1154868,1154968,1155030,1155295,1155455,1155656,1155794,1155800,1155899,1156173,1156176,1156397,1156521,1156526,1156574,1157034,1157141,1157473,1158002,1158012,1158564,1158963,1159023,1159206
CVE References: 
Sources used:
SUSE Manager Server 4.0 (src):    release-notes-susemanager-4.0.4-3.35.1
SUSE Manager Retail Branch Server 4.0 (src):    release-notes-susemanager-proxy-4.0.4-0.16.23.1
SUSE Manager Proxy 4.0 (src):    release-notes-susemanager-proxy-4.0.4-0.16.23.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    release-notes-susemanager-4.0.4-3.35.1, release-notes-susemanager-proxy-4.0.4-0.16.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.