cnvd - cnvd-2023-96665

CNVD-2023-96665

Vulnerability from cnvd - Published: 2023-12-13

Title

Apache UIMA反序列化漏洞

Description

Apache UIMA是美国阿帕奇（Apache）基金会的一个组件化的软件架构。用于分析同终端用户相关联的大容量非结构化信息。 Apache UIMA 3.5.0之前版本存在反序列化漏洞，该漏洞源于应用程序在接收用户提交的序列化数据的不安全反序列化处理，攻击者可利用该漏洞导致代码执行。

Severity

高

Patch Name

Apache UIMA反序列化漏洞的补丁

Patch Description

Apache UIMA是美国阿帕奇（Apache）基金会的一个组件化的软件架构。用于分析同终端用户相关联的大容量非结构化信息。 Apache UIMA 3.5.0之前版本存在反序列化漏洞，该漏洞源于应用程序在接收用户提交的序列化数据的不安全反序列化处理，攻击者可利用该漏洞导致代码执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://uima.apache.org/downloads.cgi

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-39913

Impacted products

Name
Apache Apache UIMA <3.5.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-39913",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-39913"
    }
  },
  "description": "Apache UIMA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7ec4\u4ef6\u5316\u7684\u8f6f\u4ef6\u67b6\u6784\u3002\u7528\u4e8e\u5206\u6790\u540c\u7ec8\u7aef\u7528\u6237\u76f8\u5173\u8054\u7684\u5927\u5bb9\u91cf\u975e\u7ed3\u6784\u5316\u4fe1\u606f\u3002\n\nApache UIMA 3.5.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://uima.apache.org/downloads.cgi",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-96665",
  "openTime": "2023-12-13",
  "patchDescription": "Apache UIMA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7ec4\u4ef6\u5316\u7684\u8f6f\u4ef6\u67b6\u6784\u3002\u7528\u4e8e\u5206\u6790\u540c\u7ec8\u7aef\u7528\u6237\u76f8\u5173\u8054\u7684\u5927\u5bb9\u91cf\u975e\u7ed3\u6784\u5316\u4fe1\u606f\u3002\r\n\r\nApache UIMA 3.5.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache UIMA\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache UIMA \u003c3.5.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-39913",
  "serverity": "\u9ad8",
  "submitTime": "2023-11-13",
  "title": "Apache UIMA\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"
}

CVE-2023-39913 (GCVE-0-2023-39913)

Vulnerability from cvelistv5 – Published: 2023-11-08 08:04 – Updated: 2025-02-13 17:03

Summary

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which fixes the issue. There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular: * the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class; * the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data; * the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections; * the CasAnnotationViewerApplet and the CasTreeViewerApplet; * the checkpointing feature of the CPE module. Note that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object. When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution. As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 and https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue. To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the "jdk.serialFilter" system property using a semicolon as a separator: To allow deserializing Java-serialized binary CASes, add the classes: * org.apache.uima.cas.impl.CASCompleteSerializer * org.apache.uima.cas.impl.CASMgrSerializer * org.apache.uima.cas.impl.CASSerializer * java.lang.String To allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints): * org.apache.uima.collection.impl.cpm.CheckpointData * org.apache.uima.util.ProcessTrace * org.apache.uima.util.impl.ProcessTrace_impl * org.apache.uima.collection.base_cpm.SynchPoint Make sure to use "!*" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern. Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data
CWE-20 - Improper Input Validation

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/lw30f4qlq3mhkhplj…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2023/11/08/1

Impacted products

Vendor

Product

Version

Apache Software Foundation

Apache UIMA Java SDK Core

Affected: 0 , < 3.5.0 (semver)

Apache Software Foundation	Apache UIMA Java SDK CPE	Affected: 0 , < 3.5.0 (semver)
Apache Software Foundation	Apache UIMA Java SDK Vinci adapter	Affected: 0 , < 3.5.0 (semver)
Apache Software Foundation	Apache UIMA Java SDK tools	Affected: 0 , < 3.5.0 (semver)

Credits

Huangzhicong from CodeSafe Team of Legendsec at Qi’anxin

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:18:10.044Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/08/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-39913",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-04T19:07:42.826793Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-04T19:12:10.227Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.uima:uimaj-core",
          "product": "Apache UIMA Java SDK Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.uima:uimaj-cpe",
          "product": "Apache UIMA Java SDK CPE",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.uima:uimaj-adapter-vinci",
          "product": "Apache UIMA Java SDK Vinci adapter",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.uima:uimaj-tools",
          "product": "Apache UIMA Java SDK tools",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Huangzhicong from CodeSafe Team of Legendsec at Qi\u2019anxin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.\u003cp\u003eThis issue affects Apache UIMA Java SDK: before 3.5.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\u003c/p\u003eThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe CAS Editor Eclipse plugin which uses the\u0026nbsp;the CasIOUtils class to load data;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe CasAnnotationViewerApplet and the CasTreeViewerApplet;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe checkpointing feature of the CPE module.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003eNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is \u003cb\u003enot\u003c/b\u003e a serialized Java object.\u003cbr\u003e\u003cbr\u003eWhen using Vinci or using CasIOUtils in own services/applications,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openjdk.org/jeps/290\"\u003ehttps://openjdk.org/jeps/290\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openjdk.org/jeps/415\"\u003ehttps://openjdk.org/jeps/415\u003c/a\u003e) if running UIMA on a Java version that supports it. \u003cbr\u003e\u003cbr\u003eNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\u003cbr\u003e\u003cbr\u003eTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \u003ci\u003e\"jdk.serialFilter\"\u003c/i\u003e system property using a semicolon as a separator:\u003cbr\u003e\u003cbr\u003eTo allow deserializing Java-serialized binary CASes, add the classes:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eorg.apache.uima.cas.impl.CASCompleteSerializer\u003c/span\u003e\u003c/li\u003e\u003cli\u003eorg.apache.uima.cas.impl.CASMgrSerializer\u003c/li\u003e\u003cli\u003eorg.apache.uima.cas.impl.CASSerializer\u003c/li\u003e\u003cli\u003ejava.lang.String\u003c/li\u003e\u003c/ul\u003eTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\u003cbr\u003e\u003cul\u003e\u003cli\u003eorg.apache.uima.collection.impl.cpm.CheckpointData\u003c/li\u003e\u003cli\u003eorg.apache.uima.util.ProcessTrace\u003c/li\u003e\u003cli\u003eorg.apache.uima.util.impl.ProcessTrace_impl\u003c/li\u003e\u003cli\u003eorg.apache.uima.collection.base_cpm.SynchPoint\u003c/li\u003e\u003c/ul\u003eMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\u003cbr\u003e\u003cbr\u003eApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\n\nThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\n  *  the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\n  *  the CAS Editor Eclipse plugin which uses the\u00a0the CasIOUtils class to load data;\n  *  the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\n  *  the CasAnnotationViewerApplet and the CasTreeViewerApplet;\n  *  the checkpointing feature of the CPE module.\n\nNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.\n\nWhen using Vinci or using CasIOUtils in own services/applications,\u00a0the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\n\nAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf.  https://openjdk.org/jeps/290 \u00a0and\u00a0 https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. \n\nNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\n\nTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \"jdk.serialFilter\" system property using a semicolon as a separator:\n\nTo allow deserializing Java-serialized binary CASes, add the classes:\n  *  org.apache.uima.cas.impl.CASCompleteSerializer\n  *  org.apache.uima.cas.impl.CASMgrSerializer\n  *  org.apache.uima.cas.impl.CASSerializer\n  *  java.lang.String\n\nTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\n  *  org.apache.uima.collection.impl.cpm.CheckpointData\n  *  org.apache.uima.util.ProcessTrace\n  *  org.apache.uima.util.impl.ProcessTrace_impl\n  *  org.apache.uima.collection.base_cpm.SynchPoint\n\nMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\n\nApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-08T08:06:03.766Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/11/08/1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache UIMA Java SDK Core, Apache UIMA Java SDK CPE, Apache UIMA Java SDK Vinci adapter, Apache UIMA Java SDK tools: Potential untrusted code execution when deserializing certain binary CAS formats",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-39913",
    "datePublished": "2023-11-08T08:04:23.911Z",
    "dateReserved": "2023-08-07T09:15:50.297Z",
    "dateUpdated": "2025-02-13T17:03:15.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-96665

CVE-2023-39913 (GCVE-0-2023-39913)

Tags

Sightings

Nomenclature