Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5C50DD455BD6D918BB514770508E51191E797F301A91298501BC9B0243579591
HistoryApr 16, 2021 - 5:44 a.m.

Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics - Log Analysis

2021-04-1605:44:27
www.ibm.com
5

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.014 Low

EPSS

Percentile

84.4%

JSON

Summary

There are different types of vulnerabilities in various versions of Apache Tika that affect Apache Solr. The vulnerabilities are in Vulnerability Details section.

Vulnerability Details

CVEID:CVE-2018-11761
**DESCRIPTION:**Apache Tika is vulnerable to a denial of service, caused by the failure to configure XML parsers to limit entity expansion. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150101 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-17197
**DESCRIPTION:**Apache Tika is vulnerable to a denial of service, caused by an error in the SQLite3Parser. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-10088
**DESCRIPTION:**Apache Tika is vulnerable to a denial of service, caused by a flaw in the RecursiveParserWrapper function. By persuading a victim to open a specially-crafted zip file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164709 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-10094
**DESCRIPTION:**Apache Tika is vulnerable to a stack-based buffer overflow, caused by a flaw in the RecursiveParserWrapper function. By persuading a victim to unzip a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164711 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-11796
**DESCRIPTION:**Apache Tika is vulnerable to a denial of service, caused by a flaw during XML parsing. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151083 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Log Analysis 1.3.1
Log Analysis 1.3.2
Log Analysis 1.3.3
Log Analysis 1.3.4
Log Analysis 1.3.5
Log Analysis 1.3.6

Remediation/Fixes

Principal Product and Version(s) : Fix details
IBM Operations Analytics - Log Analysis version 1.3.x Upgrade to Log Analysis version 1.3.7
Download the 1.3.7-TIV-IOALA-FP here

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.

Related

osv 10
openvas 3
redhatcve 3
cve 5
ubuntucve 5
debiancve 5
prion 5
github 5
ibm 6
veracode 5
symantec 1
nessus 2
redhat 1
oracle 4
osv
osv
CVE-2018-11796
2018-10-09 22:29:00
Apache Tika is vulnerable to entity expansions which can lead to a denial of service attack
2018-10-17 15:43:25
Apache Tika Denial of Service due to Infinite Loop in Tika's SQLite3Parser
2018-12-26 17:45:07
openvas
openvas
Apache Tika Server 1.7 < 1.22 Multiple Vulnerabilities
2019-08-05 00:00:00
Apache Tika Server XML Entity Expansion Denial of Service Vulnerability
2018-09-27 00:00:00
Apache Tika Server < 1.20 Denial of Service Vulnerability
2018-12-27 00:00:00
redhatcve
redhatcve
CVE-2018-11796
2018-10-15 07:28:22
CVE-2018-17197
2019-01-07 10:20:00
CVE-2018-11761
2018-09-24 20:51:52
cve
cve
CVE-2018-11796
2018-10-09 22:29:00
CVE-2018-17197
2018-12-24 14:29:00
CVE-2019-10094
2019-08-02 19:15:00
ubuntucve
ubuntucve
CVE-2018-11796
2018-10-09 00:00:00
CVE-2018-17197
2018-12-24 00:00:00
CVE-2019-10094
2019-08-02 00:00:00
debiancve
debiancve
CVE-2018-11796
2018-10-09 22:29:00
CVE-2018-17197
2018-12-24 14:29:00
CVE-2019-10094
2019-08-02 19:15:00
prion
prion
Code injection
2018-10-09 22:29:00
Code injection
2018-12-24 14:29:00
Code injection
2019-08-02 19:15:00
github
github
Apache Tika is vulnerable to entity expansions which can lead to a denial of service attack
2018-10-17 15:43:25
Apache Tika Denial of Service due to Infinite Loop in Tika's SQLite3Parser
2018-12-26 17:45:07
Allocation of Resources Without Limits or Throttling in Apache Tika
2019-08-06 01:43:35
ibm
ibm
Security Bulletin: Apache Tika as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2019-10088, CVE-2019-10093, CVE-2019-10094)
2019-12-20 08:47:33
Security Bulletin: IBM QRadar Incident Forensics is vulnerable to a publicly disclosed vulnerability in Apache Tika (CVE-2018-17197)
2019-07-10 15:40:02
Security Bulletin: IBM QRadar Incident Forensics is vulnerable to publicly disclosed vulnerabilities from Apache Tika (CVE-2018-11761, CVE-2018-11762, CVE-2018-8017,  CVE-2018-11796)
2019-07-10 15:05:01
veracode
veracode
Denial Of Service (DoS)
2018-12-24 03:26:35
Denial Of Service (DoS)
2019-08-05 07:37:43
Denial Of Service (DoS)
2018-10-10 03:04:13
symantec
symantec
Apache Tika CVE-2019-10088 Denial of Service Vulnerability
2019-08-02 00:00:00
nessus
nessus
Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)
2020-01-30 00:00:00
Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2019 CPU)
2019-07-19 00:00:00
redhat
redhat
(RHSA-2019:3892) Important: Red Hat Fuse 7.5.0 security update
2019-11-14 21:15:16
oracle
oracle
Oracle Critical Patch Update Advisory - April 2020
2020-04-14 00:00:00
Oracle Critical Patch Update Advisory - January 2020
2020-01-14 00:00:00
Oracle Critical Patch Update Advisory - July 2019
2019-07-16 00:00:00

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.014 Low

EPSS

Percentile

84.4%

JSON
Related for 5C50DD455BD6D918BB514770508E51191E797F301A91298501BC9B0243579591
osv10openvas3redhatcve3cve5ubuntucve5debiancve5prion5github5ibm6veracode5symantec1nessus2redhat1oracle4