Path to vulnerable library: /canner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-adapter-vinci/2.9.0/uimaj-adapter-vinci-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-adapter-vinci/2.9.0/uimaj-adapter-vinci-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-adapter-vinci/2.9.0/uimaj-adapter-vinci-2.9.0.jar
The implementation of a simple scaleout capability, called
the Collection Processing Engine. New implementations may find
UIMA-AS a better scaleout mechanism.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-cpe/2.9.0/uimaj-cpe-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-cpe/2.9.0/uimaj-cpe-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-cpe/2.9.0/uimaj-cpe-2.9.0.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-tools/2.9.0/uimaj-tools-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-tools/2.9.0/uimaj-tools-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-tools/2.9.0/uimaj-tools-2.9.0.jar
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:
* the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;
* the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;
* the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;
* the CasAnnotationViewerApplet and the CasTreeViewerApplet;
* the checkpointing feature of the CPE module.
Note that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.
When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.
As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 and https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it.
Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.
To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the "jdk.serialFilter" system property using a semicolon as a separator:
To allow deserializing Java-serialized binary CASes, add the classes:
* org.apache.uima.cas.impl.CASCompleteSerializer
* org.apache.uima.cas.impl.CASMgrSerializer
* org.apache.uima.cas.impl.CASSerializer
* java.lang.String
To allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):
* org.apache.uima.collection.impl.cpm.CheckpointData
* org.apache.uima.util.ProcessTrace
* org.apache.uima.util.impl.ProcessTrace_impl
* org.apache.uima.collection.base_cpm.SynchPoint
Make sure to use "!*" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.
Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.
CVE-2023-39913 - High Severity Vulnerability
uimaj-core-2.9.0.jar
The core implementation of the UIMA Java Framework
Library home page: http://www.apache.org/
Path to dependency file: /service/pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar
Dependency Hierarchy: - :x: **uimaj-core-2.9.0.jar** (Vulnerable Library)
uimaj-adapter-vinci-2.9.0.jar
Provides the capability to connect to a remote analysis engine, using the Vinci protocol
Library home page: http://www.apache.org/
Path to dependency file: /core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-adapter-vinci/2.9.0/uimaj-adapter-vinci-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-adapter-vinci/2.9.0/uimaj-adapter-vinci-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-adapter-vinci/2.9.0/uimaj-adapter-vinci-2.9.0.jar
Dependency Hierarchy: - uimaj-tools-2.9.0.jar (Root Library) - uimaj-cpe-2.9.0.jar - :x: **uimaj-adapter-vinci-2.9.0.jar** (Vulnerable Library)
uimaj-cpe-2.9.0.jar
The implementation of a simple scaleout capability, called the Collection Processing Engine. New implementations may find UIMA-AS a better scaleout mechanism.
Library home page: http://www.apache.org/
Path to dependency file: /client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-cpe/2.9.0/uimaj-cpe-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-cpe/2.9.0/uimaj-cpe-2.9.0.jar,/home/wss-scanner/.m2/repository/org/apache/uima/uimaj-cpe/2.9.0/uimaj-cpe-2.9.0.jar
Dependency Hierarchy: - uimaj-tools-2.9.0.jar (Root Library) - :x: **uimaj-cpe-2.9.0.jar** (Vulnerable Library)
uimaj-tools-2.9.0.jar
Tooling supporting UIMA use
Library home page: http://www.apache.org/
Path to dependency file: /client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-tools/2.9.0/uimaj-tools-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-tools/2.9.0/uimaj-tools-2.9.0.jar,/canner/.m2/repository/org/apache/uima/uimaj-tools/2.9.0/uimaj-tools-2.9.0.jar
Dependency Hierarchy: - :x: **uimaj-tools-2.9.0.jar** (Vulnerable Library)
Found in base branch: master
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which fixes the issue. There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular: * the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class; * the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data; * the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections; * the CasAnnotationViewerApplet and the CasTreeViewerApplet; * the checkpointing feature of the CPE module. Note that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object. When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution. As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 and https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue. To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the "jdk.serialFilter" system property using a semicolon as a separator: To allow deserializing Java-serialized binary CASes, add the classes: * org.apache.uima.cas.impl.CASCompleteSerializer * org.apache.uima.cas.impl.CASMgrSerializer * org.apache.uima.cas.impl.CASSerializer * java.lang.String To allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints): * org.apache.uima.collection.impl.cpm.CheckpointData * org.apache.uima.util.ProcessTrace * org.apache.uima.util.impl.ProcessTrace_impl * org.apache.uima.collection.base_cpm.SynchPoint Make sure to use "!*" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern. Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.
Publish Date: 2023-11-08
URL: CVE-2023-39913
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-39913
Release Date: 2023-11-08
Fix Resolution: org.apache.uima:uimaj-tools:3.5.0, org.apache.uima:uimaj-adapter-vinci:3.5.0, org.apache.uima:uimaj-core:3.5.0, org.apache.uima:uimaj-cpe:3.5.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.