Bug 1184892 - (CVE-2021-28657) VUL-0: CVE-2021-28657: tika-core: Infinite loop in MP3Parser
(CVE-2021-28657)
VUL-0: CVE-2021-28657: tika-core: Infinite loop in MP3Parser
Status: CONFIRMED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Galaxy Bugs
Security Team bot
https://smash.suse.de/issue/280707/
CVSSv3.1:SUSE:CVE-2021-28657:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-16 14:24 UTC by Alexandros Toptsoglou
Modified: 2021-06-21 22:59 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2021-04-16 14:24:28 UTC
Tracked SUMA 4.0 and 4.1 based on the version as affected.
Comment 3 Julio González Gil 2021-04-16 14:49:40 UTC
Reassigning to our Round Robing Bug Guy (Jochen). One of the Java developer should take care, so I guess Orion or Hexagon squads.
Comment 4 Jochen Breuer 2021-04-16 15:09:21 UTC
Setting this to P2 until we know more. Seems like this is a dependency of nutch, which is used for search in SUMA/Uyuni.
Comment 5 Abid Mehmood 2021-04-21 07:50:17 UTC
Hi Alexandros,

As this package is suse-manager only and the issue is only in MP3Parser where suse-manager is making no use of this code path and there is very little probability that it will in the future either, would you be ok reducing the priority of this issue?
Comment 6 Alexandros Toptsoglou 2021-04-21 08:11:30 UTC
(In reply to Abid Mehmood from comment #5)
> Hi Alexandros,
> 
> As this package is suse-manager only and the issue is only in MP3Parser
> where suse-manager is making no use of this code path and there is very
> little probability that it will in the future either, would you be ok
> reducing the priority of this issue?

Done
Comment 14 Swamp Workflow Management 2021-06-21 22:20:18 UTC
SUSE-RU-2021:2099-1: An update that has 38 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1151558,1172711,1175216,1178767,1180673,1180994,1182744,1182954,1183573,1183649,1183845,1183864,1184005,1184286,1184311,1184332,1184351,1184361,1184471,1184475,1184561,1184617,1184849,1184892,1184929,1184940,1185042,1185097,1185281,1185506,1185568,1185965,1186025,1186124,1186346,1186508,1186765,1186858
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.8.1-3.52.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.8-3.35.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.8-3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-06-21 22:25:41 UTC
SUSE-SU-2021:2098-1: An update that solves two vulnerabilities and has 35 fixes is now available.

Category: security (moderate)
Bug References: 1151558,1172711,1175216,1178767,1180673,1182744,1183573,1183649,1183845,1183864,1184005,1184286,1184311,1184332,1184351,1184361,1184471,1184475,1184561,1184617,1184849,1184892,1184929,1184940,1185042,1185097,1185281,1185506,1185568,1185965,1186025,1186124,1186346,1186508,1186765,1186852,1186858
CVE References: CVE-2021-28657,CVE-2021-31607
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    cobbler-3.0.0+git20190806.32c4bae0-5.11.1, golang-github-prometheus-node_exporter-1.1.2-3.6.5, grafana-formula-0.4.1-3.9.2, patterns-suse-manager-4.1-6.9.2, prometheus-exporters-formula-0.9.1-3.22.1, py26-compat-salt-2016.11.10-6.14.2, py27-compat-salt-3000.3-6.3.2, spacewalk-admin-4.1.9-3.12.2, spacewalk-backend-4.1.25-4.32.6, spacewalk-branding-4.1.12-3.12.2, spacewalk-certs-tools-4.1.17-3.17.2, spacewalk-java-4.1.36-3.44.1, spacewalk-utils-4.1.16-3.18.2, spacewalk-web-4.1.26-3.24.8, susemanager-4.1.26-3.25.1, susemanager-build-keys-15.2.4-3.17.1, susemanager-doc-indexes-4.1-11.34.8, susemanager-docs_en-4.1-11.34.2, susemanager-schema-4.1.21-3.30.6, susemanager-sls-4.1.28-3.42.1, susemanager-sync-data-4.1.14-3.23.2, tika-core-1.26-3.5.2, uyuni-common-libs-4.1.8-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2021-06-21 22:36:21 UTC
SUSE-RU-2021:2115-1: An update that has 19 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 1172711,1182817,1184005,1184283,1184311,1184332,1184361,1184471,1184475,1184561,1184617,1184861,1184892,1185097,1185281,1185506,1186124,1186346,1186508
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    release-notes-susemanager-4.0.14-3.74.1
SUSE Manager Retail Branch Server 4.0 (src):    release-notes-susemanager-proxy-4.0.14-0.16.58.1
SUSE Manager Proxy 4.0 (src):    release-notes-susemanager-proxy-4.0.14-0.16.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-06-21 22:59:19 UTC
SUSE-SU-2021:2114-1: An update that solves two vulnerabilities and has 17 fixes is now available.

Category: security (moderate)
Bug References: 1172711,1182817,1184005,1184283,1184311,1184332,1184361,1184471,1184475,1184561,1184617,1184861,1184892,1185097,1185281,1185506,1186124,1186346,1186508
CVE References: CVE-2021-28657,CVE-2021-31607
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src):    cobbler-3.0.0+git20190806.32c4bae0-7.22.3, grafana-formula-0.2.3-4.16.3, patterns-suse-manager-4.0-9.19.3, prometheus-exporters-formula-0.7.6-3.19.3, pxe-default-image-sle15-4.0.1-20210621145802, py26-compat-salt-2016.11.10-10.28.3, py27-compat-salt-3000.3-4.3.3, spacewalk-backend-4.0.38-3.47.4, spacewalk-java-4.0.44-3.57.5, spacewalk-utils-4.0.21-3.30.3, spacewalk-web-4.0.28-3.45.1, susemanager-4.0.34-3.52.3, susemanager-doc-indexes-4.0-10.36.4, susemanager-docs_en-4.0-10.36.3, susemanager-sls-4.0.35-3.48.3, tika-core-1.26-3.6.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.