opensuse-su-2024:13471-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
jcasgen-maven-plugin-3.5.0-1.1 on GA media
Notes
Title of the patch
jcasgen-maven-plugin-3.5.0-1.1 on GA media
Description of the patch
These are all security issues fixed in the jcasgen-maven-plugin-3.5.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13471
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jcasgen-maven-plugin-3.5.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jcasgen-maven-plugin-3.5.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13471",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13471-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-39913 page",
"url": "https://www.suse.com/security/cve/CVE-2023-39913/"
}
],
"title": "jcasgen-maven-plugin-3.5.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13471-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jcasgen-maven-plugin-3.5.0-1.1.aarch64",
"product": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.aarch64",
"product_id": "jcasgen-maven-plugin-3.5.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "uima-pear-maven-plugin-3.5.0-1.1.aarch64",
"product": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.aarch64",
"product_id": "uima-pear-maven-plugin-3.5.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "uimaj-3.5.0-1.1.aarch64",
"product": {
"name": "uimaj-3.5.0-1.1.aarch64",
"product_id": "uimaj-3.5.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "uimaj-javadoc-3.5.0-1.1.aarch64",
"product": {
"name": "uimaj-javadoc-3.5.0-1.1.aarch64",
"product_id": "uimaj-javadoc-3.5.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jcasgen-maven-plugin-3.5.0-1.1.ppc64le",
"product": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.ppc64le",
"product_id": "jcasgen-maven-plugin-3.5.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "uima-pear-maven-plugin-3.5.0-1.1.ppc64le",
"product": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.ppc64le",
"product_id": "uima-pear-maven-plugin-3.5.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "uimaj-3.5.0-1.1.ppc64le",
"product": {
"name": "uimaj-3.5.0-1.1.ppc64le",
"product_id": "uimaj-3.5.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "uimaj-javadoc-3.5.0-1.1.ppc64le",
"product": {
"name": "uimaj-javadoc-3.5.0-1.1.ppc64le",
"product_id": "uimaj-javadoc-3.5.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jcasgen-maven-plugin-3.5.0-1.1.s390x",
"product": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.s390x",
"product_id": "jcasgen-maven-plugin-3.5.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "uima-pear-maven-plugin-3.5.0-1.1.s390x",
"product": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.s390x",
"product_id": "uima-pear-maven-plugin-3.5.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "uimaj-3.5.0-1.1.s390x",
"product": {
"name": "uimaj-3.5.0-1.1.s390x",
"product_id": "uimaj-3.5.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "uimaj-javadoc-3.5.0-1.1.s390x",
"product": {
"name": "uimaj-javadoc-3.5.0-1.1.s390x",
"product_id": "uimaj-javadoc-3.5.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jcasgen-maven-plugin-3.5.0-1.1.x86_64",
"product": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.x86_64",
"product_id": "jcasgen-maven-plugin-3.5.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "uima-pear-maven-plugin-3.5.0-1.1.x86_64",
"product": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.x86_64",
"product_id": "uima-pear-maven-plugin-3.5.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "uimaj-3.5.0-1.1.x86_64",
"product": {
"name": "uimaj-3.5.0-1.1.x86_64",
"product_id": "uimaj-3.5.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "uimaj-javadoc-3.5.0-1.1.x86_64",
"product": {
"name": "uimaj-javadoc-3.5.0-1.1.x86_64",
"product_id": "uimaj-javadoc-3.5.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.aarch64"
},
"product_reference": "jcasgen-maven-plugin-3.5.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.ppc64le"
},
"product_reference": "jcasgen-maven-plugin-3.5.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.s390x"
},
"product_reference": "jcasgen-maven-plugin-3.5.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jcasgen-maven-plugin-3.5.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.x86_64"
},
"product_reference": "jcasgen-maven-plugin-3.5.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.aarch64"
},
"product_reference": "uima-pear-maven-plugin-3.5.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.ppc64le"
},
"product_reference": "uima-pear-maven-plugin-3.5.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.s390x"
},
"product_reference": "uima-pear-maven-plugin-3.5.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uima-pear-maven-plugin-3.5.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.x86_64"
},
"product_reference": "uima-pear-maven-plugin-3.5.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-3.5.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-3.5.0-1.1.aarch64"
},
"product_reference": "uimaj-3.5.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-3.5.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-3.5.0-1.1.ppc64le"
},
"product_reference": "uimaj-3.5.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-3.5.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-3.5.0-1.1.s390x"
},
"product_reference": "uimaj-3.5.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-3.5.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-3.5.0-1.1.x86_64"
},
"product_reference": "uimaj-3.5.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-javadoc-3.5.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.aarch64"
},
"product_reference": "uimaj-javadoc-3.5.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-javadoc-3.5.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.ppc64le"
},
"product_reference": "uimaj-javadoc-3.5.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-javadoc-3.5.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.s390x"
},
"product_reference": "uimaj-javadoc-3.5.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "uimaj-javadoc-3.5.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.x86_64"
},
"product_reference": "uimaj-javadoc-3.5.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-39913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-39913"
}
],
"notes": [
{
"category": "general",
"text": "Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\n\nThere are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:\n * the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;\n * the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;\n * the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;\n * the CasAnnotationViewerApplet and the CasTreeViewerApplet;\n * the checkpointing feature of the CPE module.\n\nNote that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.\n\nWhen using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.\n\nAs a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290 and https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it. \n\nNote that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.\n\nTo mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the \"jdk.serialFilter\" system property using a semicolon as a separator:\n\nTo allow deserializing Java-serialized binary CASes, add the classes:\n * org.apache.uima.cas.impl.CASCompleteSerializer\n * org.apache.uima.cas.impl.CASMgrSerializer\n * org.apache.uima.cas.impl.CASSerializer\n * java.lang.String\n\nTo allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):\n * org.apache.uima.collection.impl.cpm.CheckpointData\n * org.apache.uima.util.ProcessTrace\n * org.apache.uima.util.impl.ProcessTrace_impl\n * org.apache.uima.collection.base_cpm.SynchPoint\n\nMake sure to use \"!*\" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.\n\nApache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-39913",
"url": "https://www.suse.com/security/cve/CVE-2023-39913"
},
{
"category": "external",
"summary": "SUSE Bug 1217005 for CVE-2023-39913",
"url": "https://bugzilla.suse.com/1217005"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:jcasgen-maven-plugin-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uima-pear-maven-plugin-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uimaj-3.5.0-1.1.x86_64",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.aarch64",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.s390x",
"openSUSE Tumbleweed:uimaj-javadoc-3.5.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-39913"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…