First Last Prev Next    This bug is not in your last search results.
Bug 1200283 - (CVE-2022-30973) VUL-0: CVE-2022-30973: tika-core: Missing fix for CVE-2022-30126 in 1.28.2
(CVE-2022-30973)
VUL-0: CVE-2022-30973: tika-core: Missing fix for CVE-2022-30126 in 1.28.2
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/333244/
CVSSv3.1:SUSE:CVE-2022-30973:5.9:(AV:...
:
Depends on:
Blocks: CVE-2022-30126
  Show dependency treegraph
 
Reported: 2022-06-07 12:39 UTC by Thomas Leroy
Modified: 2022-12-20 11:20 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-06-07 12:39:43 UTC 
CVE-2022-30973

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2
release. In Apache Tika, a regular expression in the StandardsText class, used
by the StandardsExtractingContentHandler could lead to a denial of service
caused by backtracking on a specially crafted file. This only affects users who
are running the StandardsExtractingContentHandler, which is a non-standard
handler. This is fixed in 1.28.3.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30973
https://seclists.org/oss-sec/2022/q2/160
http://www.openwall.com/lists/oss-security/2022/05/31/2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30973
http://www.cvedetails.com/cve/CVE-2022-30973/
https://lists.apache.org/thread/gqvb5t4p7tmdpl0y5bdbf72pgxj04h7p
Comment 1 Thomas Leroy 2022-06-07 12:50:30 UTC 
According to Cathy, upstream fix for 1.x is
https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265

This is the fix for CVE-2022-30126 bsc#1199604 in 1.x versions.

We still have as affected:
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update/tika-core   1.26
- SUSE:SLE-15-SP3:Update:Products:Manager42:Update/tika-core   1.26
- SUSE:SLE-15-SP4:Update:Products:Manager43:Update/tika-core   1.26
Comment 3 Hu 2022-07-05 08:32:01 UTC 
It seems as the fixing commit referenced is still incomplete, another (third) CVE was assigned: CVE-2022-33879

I opened another bug here: bnc#1201217
Comment 4 Michael Calmer 2022-08-21 17:00:33 UTC 
If I got ist right  CVE-2022-30973 and CVE-2022-30126 is the same.
I submitted an update to 4.1 and 4.2

4.3 is not affected. This package was never shipped on a product
Comment 5 Michael Calmer 2022-08-21 17:02:21 UTC 
assign to security-team for tracking
Comment 7 Swamp Workflow Management 2022-09-19 19:26:49 UTC 
SUSE-SU-2022:3310-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1199604,1200283,1201217
CVE References: CVE-2022-30126,CVE-2022-30973,CVE-2022-33879
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    tika-core-1.26-150300.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-09-19 19:37:23 UTC 
SUSE-SU-2022:3311-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1199604,1200283,1201217
CVE References: CVE-2022-30126,CVE-2022-30973,CVE-2022-33879
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    tika-core-1.26-150200.3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Hu 2022-12-20 11:20:51 UTC 
done
First Last Prev Next    This bug is not in your last search results.