[CVE-2018-11796] Apache Tika Denial of Service via XML Entity Expansion Vulnerability

[CVE-2018-11796] Apache Tika Denial of Service via XML Entity Expansion Vulnerability

Apache, Tika, Entity, The, Service, Removes, Cve, Which, After, Xml, Denial, Parse, Attack, Lead, Can, Vulnerable, First, Therefore, Still, Entityexpansions, Upgrade, Discovered

CVE-2018-11796: Apache Tika Denial of Service via XML Entity ExpansionVulnerabilitySeverity: MediumVendor:The Apache Sof


CVE-2018-11796: Apache Tika Denial of Service via XML Entity Expansion
Vulnerability
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.1 to 1.19
Description:
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion
limit for XML parsing. However, Tika reuses SAXParsers and calls
reset() after each parse, which, for Xerces2 parsers, as per the
documentation, removes the user-specified SecurityManager and
thus removes entity expansion limits after the first parse.
Apache Tika 1.19 is therefore still vulnerable to entity
expansions which can lead to a denial of service attack.
Mitigation:
Apache Tika users should upgrade to 1.19.1 or later
Credit:
This issue was discovered by Slava Gorelik of CloudAlly.

Zdroj: Apache

2018-10-09 22:05:18 1483 379Facebook | Twitter | Google+ | LinkedIn
Web PHP developer Milan Jankovec

<Milan Jankovec> Full Stack Web Developer

Vytváram webové stránky a aplikácie na mieru. Čistý a validný HTML5 kód na každej platforme, moderné animované CSS3 štýly a neuveriteľné JavaScript kúzla. Bezpečný a rýchly PHP kód bez obmedzení s geniálnou architektúrou databáz.

Najčítanejšie články

What's New in MySQL 5.6 Release Candidate

The MySQL 5.6 Release Candidate is an aggregation of the previous MySQL 5.6 Development Milestone Releases (DMR) and provides a true functio... čítať viac

MySQL 5.6: Improvements in Thread Pool

MySQL Thread Pool has now been updated for the MySQL 5.6 version. Obviously, with the much higher concurrency of the MySQL Server in 5.6 its... čítať viac

DBA and Developer Guide to MySQL 5.6

MySQL is the most trusted and depended-on open source database platform in use today. As such, 9 out of the top 10 most popular and highly-t... čítať viac

MySQL Applier for Hadoop

To support the growing emphasis on real-time operations, MySQL is releasing a new MySQL Applier for Hadoop to enable the replication of even... čítať viac

MySQL Cluster 7.3 GA: Increasing Developer Flexibility and Simplicity

The MySQL team at Oracle are excited to announce the immediate availability of the MySQL Cluster 7.3 Development Milestone Release GA releas... čítať viac

MySQL Cluster Auto-Installer: Video Tutorial

Learn how easy it is to deploy a MySQL Cluster database that has been configured to best meet your applications needs within your environmen... čítať viac

MySQL Replication Utilities: Video Tutorial

Learn how to use MySQL 5.6 and the MySQL Utilities to setup, monitor and manage your MySQL replication topology. See how a single command ca... čítať viac

MySQL 5.6 Replication - Enabling the Next Generation of Web & Cloud Services

The new MySQL 5.6.5 Development Milestone Release (DMR) introduces a much anticipated feature - Global Transaction Identifiers (GTIDs) for M... čítať viac

Dnešný výber

The Apache News Round-up: week ending 11 November 2016

[this announcement is available online at https://s.apache.org/cz0L ]Whether youre observing Remembrance Day, Veterans D... čítať viac

Bad Bot and IP Blocker (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Bad Bot and IP Blocker (Joomla). A plugin to allow only good robots/crawle... čítať viac

Upcoming Workshop: Web5G: Aligning evolutions of network and Web technologies

W3C announced today Web5G: Aligning evolutions of network and Web technologies Workshop, January 22-23 2018, in London,... čítať viac

Eye FadeDrop Menu (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Eye FadeDrop Menu (Joomla). - Module - Fade-Drop (Multi Level) Menu. - Joo... čítať viac

Online ALTER TABLE in MySQL 5.6

This is the low-level view of data dictionary language (DDL) operations in the InnoDB storage engine in MySQL 5.6. John Russell gave a more ... čítať viac

H5P (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom H5P (Joomla). H5P is a tool for creating rich content and applications mad... čítať viac

Secret text for kunena (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Secret text for kunena (Joomla). Secret text for Kunena plugin is a simple... čítať viac

Catalog (Joomla)

Joomla extension Catalog (Joomla). Huge-IT team introduce Joomla Catalog Extension. This extension is designed to help you display the produ... čítať viac