Bugzilla – Bug 1199604
VUL-0: CVE-2022-30126: tika-core: Regular Expression Denial of Service in Standards Extractor
Last modified: 2022-12-20 11:20:59 UTC
CVE-2022-30126 In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30126 https://seclists.org/oss-sec/2022/q2/104 http://www.openwall.com/lists/oss-security/2022/05/16/3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30126 https://lists.apache.org/thread/dh3syg68nxogbmlg13srd6gjn3h2z6r4
I think this could be the fix, but I am not 100% sure: https://github.com/apache/tika/commit/83b0de4d60161ebd4bc224141a959ac8c18d95f4 Affected: - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/tika-core 1.26 - SUSE:SLE-15-SP3:Update:Products:Manager42:Update/tika-core 1.26 - SUSE:SLE-15-SP4:Update:Products:Manager43:Update/tika-core 1.26
(In reply to Hu from comment #1) > I think this could be the fix, but I am not 100% sure: > https://github.com/apache/tika/commit/ > 83b0de4d60161ebd4bc224141a959ac8c18d95f4 I think this is not the fix. It is not available in 1.28.2 and they state that, that version fix it. I do not see any code change in that release. I wonder if that version really fixes anything.
Okay, I will ask in the tika mailinglist. Will report back.
Upstream confirmed: - fix in 1.28.3: https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265 - fix in 2.4.0: https://github.com/apache/tika/commit/83b0de4d60161ebd4bc224141a959ac8c18d95f4 Not related to this CVE: https://github.com/apache/tika/commit/8d765906183296906466afa4e61ebcad059a813c
Upstream got a new CVE for the incomplete fix: CVE-2022-30126 A new bug was opened for the new CVE: bnc#1200283
If I got ist right CVE-2022-30973 and CVE-2022-30126 is the same. I submitted an update to 4.1 and 4.2 4.3 is not affected. This package was never shipped on a product
assign to security team for tracking
SUSE-SU-2022:3310-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1199604,1200283,1201217 CVE References: CVE-2022-30126,CVE-2022-30973,CVE-2022-33879 JIRA References: Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src): tika-core-1.26-150300.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3311-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1199604,1200283,1201217 CVE References: CVE-2022-30126,CVE-2022-30973,CVE-2022-33879 JIRA References: Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src): tika-core-1.26-150200.3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done