Security Bulletin: Apache Tika security vulnerabilities found during Open Source Scan in IBM Content Collector for email in Content Search Services (affected, not vulnerable)

Summary

Apache Tika security vulnerabilities found during Open Source Scan in IBM Content Collector for email in Content Search Services in Apache Tika v1.28.2 and prior

Vulnerability Details

CVEID:CVE-2022-30126
**DESCRIPTION:**Apache Tika is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the StandardsText class in the StandardsExtractingContentHandler. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226628 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-25169
**DESCRIPTION:**Apache Tika is vulnerable to a denial of service, caused by improper input validation in the BPG parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below to upgrade Apache Tika in new ICC release.

5.5.8
5.5.9

| PJ46827
PJ46827| 5.5.8.0-P8CSS-IF002 - 7/27/2022
5.5.9.0-P8CSS-IF001 - 9/26/2022
CP4BA|

21.0.3
22.0.1

| PJ46827
PJ46827| 21.0.3-IF11 - 7/27/2022
22.0.1-IF1 - 7/27/2022

In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

None