[BUILD-704] Investigate CVE-2022-24613 and CVE-2022-24614 Created: 03/Mar/22  Updated: 03/Mar/22  Resolved: 03/Mar/22

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: POMs 45, Build Resources 1.6.14

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Maxime Michel
Resolution: Fixed Votes: 0
Labels: foundation_team, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   

As reported by CVE scan in Magnolia's continuous integration builds

magnolia-community-webapp-6.2-SNAPSHOT.war: metadata-extractor-2.15.0.1.jar (pkg:maven/org.tallison/metadata-extractor@2.15.0.1, cpe:2.3:a:metadata-extractor_project:metadata-extractor:2.15.0.1:*:*:*:*:*:*:*) : CVE-2022-24613, CVE-2022-24614
magnolia-empty-webapp-6.2-SNAPSHOT.war: metadata-extractor-2.15.0.1.jar (pkg:maven/org.tallison/metadata-extractor@2.15.0.1, cpe:2.3:a:metadata-extractor_project:metadata-extractor:2.15.0.1:*:*:*:*:*:*:*) : CVE-2022-24613, CVE-2022-24614


 Comments   
Comment by Jan Haderka [ 03/Mar/22 ]

Links to CVEs:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24614

For documentation:
Tika (and JCR) uses this lib to extract EXIF, IPTC, XMP, ICC and other metadata from image and video files. Thus if such extraction is not required (means not indexing those metadata for assets and thus not making assets searchable by those metadata), client is fine to remove library from their bundle without any other additional side effects.
The danger stemming from both CVEs is minimal.
For 24613, Magnolia mitigates the effect by providing appropriate exception handling around and the only issue that could arise is affected file not being indexed with it's metadata. No application crash would happen.
For 24614, the vulnerability exists, but requires malicious user within the organization as special file would have to be uploaded by person with at least the editor level privileges. Such action is audited and traceable back to the user.

Internal info:
org.tallison.metadata-extractor is fork of com.drewnoakes.metadata-extractor that just relocates classes from com.adobe.internal to com.adobe package.

com.drewnoakes is already on version 2.16 since May 2021. I would consider the org.tallison fork abandoned since it received last update in 2020 only.

The issue is tracked in drewnoakes repo since Dec 10, 2021, and while acknowledged by the owner, there's no fix til today.
https://github.com/drewnoakes/metadata-extractor/issues/561

I wasn't able to find corresponding tickets in JCR nor Tika so I think update from their side is also not coming anytime soon.

If/when exclusion workaround is not acceptable for any client contacting support, we should consider upping version of the fork and fixing it ourselves.

Generated at Sun Feb 11 23:44:23 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.