Description

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which fixes the issue. There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular: * the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class; * the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data; * the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections; * the CasAnnotationViewerApplet and the CasTreeViewerApplet; * the checkpointing feature of the CPE module. Note that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object. When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution. As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290  and  https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue. To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the "jdk.serialFilter" system property using a semicolon as a separator: To allow deserializing Java-serialized binary CASes, add the classes: * org.apache.uima.cas.impl.CASCompleteSerializer * org.apache.uima.cas.impl.CASMgrSerializer * org.apache.uima.cas.impl.CASSerializer * java.lang.String To allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints): * org.apache.uima.collection.impl.cpm.CheckpointData * org.apache.uima.util.ProcessTrace * org.apache.uima.util.impl.ProcessTrace_impl * org.apache.uima.collection.base_cpm.SynchPoint Make sure to use "!*" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern. Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  8.8 HIGH

Vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ADP:  CISA-ADP

Base Score:  8.8 HIGH

Vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://www.openwall.com/lists/oss-security/2023/11/08/1	Mailing List
https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4	Mailing List

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-502	Deserialization of Untrusted Data	NIST   Apache Software Foundation
CWE-20	Improper Input Validation	Apache Software Foundation

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

5 change records found show changes

CVE Modified by CISA-ADP 9/04/2024 4:35:05 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		CISA-ADP AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE Modified by Apache Software Foundation 5/14/2024 9:30:58 AM

Action	Type	Old Value	New Value

Initial Analysis by NIST 11/16/2023 10:55:57 AM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR *cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:* versions up to (excluding) 3.5.0
Added	CVSS V3.1		NIST AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-502
Changed	Reference Type	http://www.openwall.com/lists/oss-security/2023/11/08/1 No Types Assigned	http://www.openwall.com/lists/oss-security/2023/11/08/1 Mailing List
Changed	Reference Type	https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4 No Types Assigned	https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4 Mailing List

CVE Modified by Apache Software Foundation 11/08/2023 10:15:08 AM

Action	Type	Old Value	New Value
Added	Reference		Apache Software Foundation http://www.openwall.com/lists/oss-security/2023/11/08/1 [No types assigned]

New CVE Received by NIST 11/08/2023 3:15:08 AM

Action	Type	Old Value	New Value
Added	CWE		Apache Software Foundation CWE-20
Added	CWE		Apache Software Foundation CWE-502
Added	Description		Record truncated, showing 500 of 3131 characters. View Entire Change Record Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which fixes the issue. There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular: * the deserialization of a Java-serialized CAS, but also o
Added	Reference		Apache Software Foundation https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4 [No types assigned]