You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Tim Allison <ta...@apache.org> on 2018/09/19 12:49:50 UTC

[CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser

CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
Potential Infinite Loop in IptcAnpaParser

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Tika 1.2 to 1.18

Description:
A carefully crafted file can trigger an infinite loop in Apache Tika's
IptcAnpaParser.

Mitigation:
Apache Tika users should upgrade to 1.19 or later.

Credit:
This issue was discovered by Tobias Ospelt of modzero AG.

Re: [CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser

Posted by Tim Allison <ta...@apache.org>.

All,
  I got the credit wrong for this issue.  Rohan Padhye first
identified this vulnerability to the Tika team.  Tobias Ospelt
independently discovered it slightly later.

Credit:
This issue was discovered independently using JQF
(https://github.com/rohanpadhye/jqf), first by Rohan Padhye at the
University of California,
Berkeley and later by Tobias Ospelt of modzero AG.

On Wed, Sep 19, 2018 at 8:49 AM Tim Allison <ta...@apache.org> wrote:
>
> CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
> Potential Infinite Loop in IptcAnpaParser
>
> Severity: Medium
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Tika 1.2 to 1.18
>
> Description:
> A carefully crafted file can trigger an infinite loop in Apache Tika's
> IptcAnpaParser.
>
> Mitigation:
> Apache Tika users should upgrade to 1.19 or later.
>
> Credit:
> This issue was discovered by Tobias Ospelt of modzero AG.

Re: [CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser

Posted by Tim Allison <ta...@apache.org>.

All,
  I got the credit wrong for this issue.  Rohan Padhye first
identified this vulnerability to the Tika team.  Tobias Ospelt
independently discovered it slightly later.

Credit:
This issue was discovered independently using JQF
(https://github.com/rohanpadhye/jqf), first by Rohan Padhye at the
University of California,
Berkeley and later by Tobias Ospelt of modzero AG.

On Wed, Sep 19, 2018 at 8:49 AM Tim Allison <ta...@apache.org> wrote:
>
> CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
> Potential Infinite Loop in IptcAnpaParser
>
> Severity: Medium
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Tika 1.2 to 1.18
>
> Description:
> A carefully crafted file can trigger an infinite loop in Apache Tika's
> IptcAnpaParser.
>
> Mitigation:
> Apache Tika users should upgrade to 1.19 or later.
>
> Credit:
> This issue was discovered by Tobias Ospelt of modzero AG.