Security update for tika-core SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3310-1 Final 1 1 2022-09-19T14:37:53Z current 2022-09-19T14:37:53Z 2022-09-19T14:37:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tika-core This update for tika-core fixes the following issues: - CVE-2022-33879: Incomplete fix and new regex DoS in StandardsExtractingContentHandler. (bsc#1201217) - CVE-2022-30973, CVE-2022-30126: Regular Expression Denial of Service in Standards Extractor. (bsc#1199604, bsc#1200283) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2022-3310,Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM-2022-3310,Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE-2022-3310,SUSE-2022-3310,SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3310 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223310-1/ Link for SUSE-SU-2022:3310-1 https://lists.suse.com/pipermail/sle-security-updates/2022-September/012288.html E-Mail link for SUSE-SU-2022:3310-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1199604 SUSE Bug 1199604 https://bugzilla.suse.com/1200283 SUSE Bug 1200283 https://bugzilla.suse.com/1201217 SUSE Bug 1201217 https://www.suse.com/security/cve/CVE-2022-30126/ SUSE CVE CVE-2022-30126 page https://www.suse.com/security/cve/CVE-2022-30973/ SUSE CVE CVE-2022-30973 page https://www.suse.com/security/cve/CVE-2022-33879/ SUSE CVE CVE-2022-33879 page Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE SUSE Manager Server Module 4.2 tika-core-1.26-150300.4.3.1 tika-core-1.26-150300.4.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure tika-core-1.26-150300.4.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM tika-core-1.26-150300.4.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE tika-core-1.26-150300.4.3.1 as a component of SUSE Manager Server Module 4.2 In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 CVE-2022-30126 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:tika-core-1.26-150300.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:tika-core-1.26-150300.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:tika-core-1.26-150300.4.3.1 SUSE Manager Server Module 4.2:tika-core-1.26-150300.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223310-1/ https://www.suse.com/security/cve/CVE-2022-30126.html CVE-2022-30126 https://bugzilla.suse.com/1199604 SUSE Bug 1199604 https://bugzilla.suse.com/1200283 SUSE Bug 1200283 https://bugzilla.suse.com/1201217 SUSE Bug 1201217 We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. CVE-2022-30973 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:tika-core-1.26-150300.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:tika-core-1.26-150300.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:tika-core-1.26-150300.4.3.1 SUSE Manager Server Module 4.2:tika-core-1.26-150300.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223310-1/ https://www.suse.com/security/cve/CVE-2022-30973.html CVE-2022-30973 https://bugzilla.suse.com/1200283 SUSE Bug 1200283 https://bugzilla.suse.com/1201217 SUSE Bug 1201217 The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. CVE-2022-33879 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:tika-core-1.26-150300.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:tika-core-1.26-150300.4.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:tika-core-1.26-150300.4.3.1 SUSE Manager Server Module 4.2:tika-core-1.26-150300.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223310-1/ https://www.suse.com/security/cve/CVE-2022-33879.html CVE-2022-33879 https://bugzilla.suse.com/1201217 SUSE Bug 1201217