CVE-2021-28657: Infinite loop in Apache Tika's MP3 parser
First published: Wed Mar 31 2021(Updated: )
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tika | <=1.25 | |
| Oracle Healthcare Foundation | =7.3.0 | |
| Oracle Healthcare Foundation | =8.0.0 | |
| Oracle Healthcare Foundation | =8.1.0 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Oracle Communications Messaging Server | =8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210507-0004/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E
Frequently Asked Questions
What is CVE-2021-28657?
CVE-2021-28657 is a vulnerability in Tika's MP3Parser that can be triggered by a carefully crafted or corrupt file, causing an infinite loop.
Which software versions are affected by CVE-2021-28657?
CVE-2021-28657 affects Apache Tika up to and including version 1.25, as well as Oracle Healthcare Foundation versions 7.3.0, 8.0.0, and 8.1.0, Oracle Primavera Unifier versions 17.7 to 17.12, and Oracle WebCenter Portal versions 12.2.1.3.0 and 12.2.1.4.0.
What is the severity of CVE-2021-28657?
CVE-2021-28657 has a severity rating of 5.5, which is considered medium.
How can I fix CVE-2021-28657?
To fix CVE-2021-28657, Apache Tika users should upgrade to version 1.26 or later.
Are there any references for CVE-2021-28657?
Yes, you can find references for CVE-2021-28657 [here](https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E), [here](https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E), and [here](https://security.netapp.com/advisory/ntap-20210507-0004/).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/title
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- vendor/apache
- canonical/apache tika
- version/apache tika/1.25
- vendor/oracle
- canonical/oracle healthcare foundation
- version/oracle healthcare foundation/7.3.0
- version/oracle healthcare foundation/8.0.0
- version/oracle healthcare foundation/8.1.0
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1