1394156 – (CVE-2016-6809) CVE-2016-6809 tika: Native deserialization of Java objects in matlab files

Bug 1394156 (CVE-2016-6809) - CVE-2016-6809 tika: Native deserialization of Java objects in matlab files

Summary: CVE-2016-6809 tika: Native deserialization of Java objects in matlab files

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2016-6809
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1394157
Blocks:	1394158
TreeView+	depends on / blocked

Reported:	2016-11-11 08:52 UTC by Adam Mariš
Modified:	2019-09-29 13:59 UTC (History)
CC List:	11 users (show)
Fixed In Version:	tika 1.14
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-31 08:25:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2016-11-11 08:52:22 UTC

Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files.  The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized.

Versions Affected: 1.6-1.13 

Mitigation: Turn off MATLAB file parsing or upgrade to Tika 1.14

Public via:

http://seclists.org/bugtraq/2016/Nov/40

Upstream patch:

https://github.com/apache/tika/commit/8a68b5d474205cc9

Comment 1 Adam Mariš 2016-11-11 08:52:37 UTC

Created tika tracking bugs for this issue:

Affects: fedora-all [bug 1394157]

Note You need to log in before you can comment on or make changes to this bug.