CVE-2022-30126
Denial-of-Service vulnerability in tika-core (Maven)
What is CVE-2022-30126 About?
This Denial-of-Service vulnerability in Apache Tika's StandardsText class can be triggered by a specially crafted file. It exploits a regular expression vulnerability that causes excessive backtracking, leading to resource exhaustion. The exploit requires the use of a non-standard handler, making exploitation somewhat conditional but potentially severe.
Affected Software
- org.apache.tika:tika-core
- >1.17, <1.28.2
- >2.0.0, <2.4.0
Technical Details
The vulnerability resides within the regex used by the StandardsText class, which is employed by the StandardsExtractingContentHandler in Apache Tika. A specially crafted input file can contain patterns that cause the regex engine to engage in catastrophic backtracking. Catastrophic backtracking occurs when a regex engine attempts to match an expression against an input string and, due to the overlapping nature of sub-expressions and quantifiers, explores an exponential number of possible match paths. This process consumes excessive CPU cycles and memory, leading to a denial-of-service condition where the Tika process becomes unresponsive or crashes due to resource exhaustion. This attack is only possible if the StandardsExtractingContentHandler is explicitly configured and used by the Apache Tika instance.
What is the Impact of CVE-2022-30126?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to the affected Apache Tika instance becoming unresponsive or crashing, thus preventing document processing and disrupting services relying on it.
What is the Exploitability of CVE-2022-30126?
Exploitation of this vulnerability requires the presence and use of the non-standard StandardsExtractingContentHandler within Apache Tika. The complexity of crafting the malicious file is moderate, as it requires knowledge of regular expression backtracking vulnerabilities. No authentication or specific privileges are required to submit the malicious file, assuming the Tika instance is configured to process arbitrary uploaded or provided files. This can be a remote or local attack, depending on how external users can provide files for processing. Special conditions include the specific configuration of Tika to enable the vulnerable handler. Risk factors that increase exploitation likelihood include public-facing Tika installations that allow document uploads from untrusted sources, particularly if they utilize the StandardsExtractingContentHandler.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-30126?
Available Upgrade Options
- org.apache.tika:tika-core
- >1.17, <1.28.2 → Upgrade to 1.28.2
- org.apache.tika:tika-core
- >2.0.0, <2.4.0 → Upgrade to 2.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2022/05/31/2
- https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265
- https://github.com/advisories/GHSA-qw3f-w4pf-jh5f
- https://github.com/apache/tika/commit/e76302196ebcafb7b51fce37fbe8256e6c0fbc51
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/apache/tika
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread/dh3syg68nxogbmlg13srd6gjn3h2z6r4
- https://security.netapp.com/advisory/ntap-20220624-0004
- https://nvd.nist.gov/vuln/detail/CVE-2022-30126
What are Similar Vulnerabilities to CVE-2022-30126?
Similar Vulnerabilities: CVE-2023-5072 , CVE-2022-37722 , CVE-2021-3999 , CVE-2020-13936 , CVE-2019-17558
