lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2125912914.1308916.1478787314903@mail.yahoo.com> Date: Thu, 10 Nov 2016 14:15:14 +0000 (UTC) From: <tallison@...che.org> To: "security@...che.org" <security@...che.org>, "security@...ts.openwall.com" <security@...ts.openwall.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "dev@...a.apache.org" <dev@...a.apache.org>, "user@...a.apache.org" <user@...a.apache.org> Subject: CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB Parser CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB Parser Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.6-1.13 Description: Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized. Mitigation: Turn off MATLAB file parsing or upgrade to Tika 1.14. Credit: Pierre Ernst of salesforce.com discovered this issue and contributed to the fix.
Powered by blists - more mailing lists