IBM8775FBA7C424617C16BCE0068F12ADE620351603064845859077805AEC654D64Security Bulletin: Apache Tika as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2019-10088, CVE-2019-10093, CVE-2019-10094)
EPSS
Percentile
77.0%
Summary
Apache Tika as used by IBM QRadar SIEM is vulnerable to denial of service
Vulnerability Details
CVEID:CVE-2019-10093
**DESCRIPTION:**In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164710 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID:CVE-2019-10088
**DESCRIPTION:**A carefully crafted or corrupt zip file can cause an OOM in Apache Tikaβs RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164709 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-10094
**DESCRIPTION:**A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tikaβs RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164711 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products and Versions
Β· IBM QRadar 7.3.0 to 7.3.2 Patch 4
Remediation/Fixes
Related
EPSS
Percentile
77.0%