Apache UIMA Java SDK Core, Apache UIMA Java SDK CPE, Apache UIMA Java SDK Vinci adapter, Apache UIMA Java SDK tools: Potential untrusted code execution when deserializing certain binary CAS formats
CVE-2023-39913

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Uima Java Sdk Core; Apache Uima Java Sdk Cpe; Apache Uima Java Sdk Vinci Adapter; Apache Uima Java Sdk Tools
Vendor: CVE Published:; 8 November 2023

Summary

The Apache UIMA Java SDK is vulnerable to a deserialization of untrusted data issue due to improper input validation during the deserialization of Java objects. This vulnerability affects various components including the CAS serialization utilities and the CAS Editor Eclipse plugin. When serialized data is deserialized, there is no verification, potentially allowing for arbitrary code execution, especially in deployed services using the Vinci Analysis Engine. Users are encouraged to upgrade to version 3.5.0, which incorporates enhanced input validation measures and restricts the deserialization process to safer practices. For optimum security, it is also recommended to run UIMA under Java 9+, allowing configuration of ObjectInputFilters to further restrict deserialization behavior.

Affected Version(s)

Apache UIMA Java SDK Core 0 < 3.5.0

Apache UIMA Java SDK CPE 0 < 3.5.0

Apache UIMA Java SDK tools 0 < 3.5.0

References

https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fo...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/11/08/1

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2023
Vulnerability Reserved
Aug 7, 2023

Credit

Huangzhicong from CodeSafe Team of Legendsec at Qi’anxin