CVE-2022-30973
Denial of Service (DoS) vulnerability in tika-core (Maven)
What is CVE-2022-30973 About?
This vulnerability is a Regular expression Denial of Service (ReDoS) in Apache Tika's `StandardsText` class, specifically in the `StandardsExtractingContentHandler`. A specially crafted file with a malicious regular expression pattern can cause excessive backtracking, leading to a denial of service. Exploitation requires processing a malicious file with a non-standard handler.
Affected Software
Technical Details
The vulnerability affects Apache Tika's 1.x branch and was an incomplete fix for CVE-2022-30126, eventually addressed in version 1.28.3. It resides within the StandardsText class, which is utilized by the StandardsExtractingContentHandler. The issue is a Regular expression Denial of Service (ReDoS) due to catastrophic backtracking in a regular expression used for extracting standards. An attacker can craft a file containing a string carefully designed to trigger this backtracking behavior in the regex. When this file is processed by an application using the StandardsExtractingContentHandler in Apache Tika, the vulnerable regular expression will consume excessive CPU resources for extended periods, effectively locking up the processing thread and leading to a denial of service for the Tika instance. This vulnerability only manifests if the non-standard StandardsExtractingContentHandler is explicitly enabled and used.
What is the Impact of CVE-2022-30973?
Successful exploitation may allow attackers to cause a denial of service, making the Apache Tika instance unresponsive and unavailable for document processing, severely impacting service availability.
What is the Exploitability of CVE-2022-30973?
Exploitation complexity is moderate. It requires an attacker to submit a specially crafted file to an application that uses Apache Tika and has the StandardsExtractingContentHandler explicitly configured and enabled for processing. This handler is described as 'non-standard,' implying it's not enabled by default, which acts as a mitigating factor. Authentication requirements depend on whether the file upload/processing functionality is accessible to unauthenticated users or restricted. No specific privileges beyond typical user permissions to upload or submit files for processing are needed. This can be a remote vulnerability if the Tika instance processes files from external sources. The primary risk factors are applications, especially those handling documents from untrusted sources, that have explicitly chosen to use the StandardsExtractingContentHandler in Apache Tika 1.x without adequate input sanitization or rate-limiting on file processing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-30973?
Available Upgrade Options
- org.apache.tika:tika-core
- >1.17, <1.28.3 → Upgrade to 1.28.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-rpjm-422r-95mh
- http://www.openwall.com/lists/oss-security/2022/06/27/5
- http://www.openwall.com/lists/oss-security/2022/05/31/2
- https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265
- https://nvd.nist.gov/vuln/detail/CVE-2022-30973
- https://github.com/apache/tika
- https://security.netapp.com/advisory/ntap-20220722-0004
- https://lists.apache.org/thread/gqvb5t4p7tmdpl0y5bdbf72pgxj04h7p
- http://www.openwall.com/lists/oss-security/2022/06/27/5
- https://lists.apache.org/thread/gqvb5t4p7tmdpl0y5bdbf72pgxj04h7p
What are Similar Vulnerabilities to CVE-2022-30973?
Similar Vulnerabilities: CVE-2023-36053 , CVE-2024-24762 , CVE-2021-27516 , CVE-2020-8199 , CVE-2020-26233
