Apache UIMA security advisories
Security information for Apache UIMA
Reporting
Do you want disclose a potential security issue for Apache UIMA? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Potential untrusted code execution when deserializing certain binary CAS formats
CVE-2023-39913 [CVE] [CVE json] [OSV json]
Last updated: 2023-11-08T08:04:19.712Z
Affected
- Apache UIMA Java SDK Core before 3.5.0
- Apache UIMA Java SDK CPE before 3.5.0
- Apache UIMA Java SDK Vinci adapter before 3.5.0
- Apache UIMA Java SDK tools before 3.5.0
Description
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.
This issue affects Apache UIMA Java SDK: before 3.5.0.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:- the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;
- the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;
- the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;
- the CasAnnotationViewerApplet and the CasTreeViewerApplet;
- the checkpointing feature of the CPE module.
When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.
As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 and https://openjdk.org/jeps/415) if running UIMA on a Java version that supports it.
Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.
To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the “jdk.serialFilter” system property using a semicolon as a separator:
To allow deserializing Java-serialized binary CASes, add the classes:
- org.apache.uima.cas.impl.CASCompleteSerializer
- org.apache.uima.cas.impl.CASMgrSerializer
- org.apache.uima.cas.impl.CASSerializer
- java.lang.String
- org.apache.uima.collection.impl.cpm.CheckpointData
- org.apache.uima.util.ProcessTrace
- org.apache.uima.util.impl.ProcessTrace_impl
- org.apache.uima.collection.base_cpm.SynchPoint
Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.
References
Credits
- Huangzhicong from CodeSafe Team of Legendsec at Qi’anxin (reporter)
DUCC (EOL) allows RCE
CVE-2023-28935 [CVE] [CVE json] [OSV json]
Last updated: 2023-03-30T09:10:09.175Z
Affected
- Apache UIMA DUCC through *
Description
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
References
Credits
- Crilwa (finder)
Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives
CVE-2022-32287 [CVE] [CVE json] [OSV json]
Last updated: 2022-11-03T11:49:10.523Z
Affected
- Apache UIMA from Java SDK through 3.3.0
Description
A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions.
Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.
References
Credits
- Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi’anxin Group