MarkLogic has released updates which address a security issue discovered in MarkLogic document conversion and text extraction mechanisms. See below for more information about the MarkLogic releases which patch this issue.
MarkLogic can convert documents such as Microsoft Office and Adobe PDF and can extract metadata and text from binary documents. These capabilities rely on functionality provided by Iceni (Argus) and Lexmark (Perceptive Document Filters) which are invoked explicitly through the API’s
xdmp:pdf-convert() or implicitly through use of the MarkLogic document conversion pipeline.
Iceni and Lexmark have issued security alerts for vulnerabilities in these products and have incorporated fixes into their most recent releases. MarkLogic has issued an update which includes these fixes.
The following CVEs for Iceni have been published:
Lexmark has published the following CVEs:
These are considered to be vulnerabilities of “High” severity based on CVSS base scores in excess of 7.0. A carefully crafted pdf, CBFF, Bzip2, or XLS file could be used to cause a buffer overflow which can result in arbitrary code execution.
The latest versions of Iceni (v6.6.5) and Lexmark ISYS (v11.3) patch the security issues listed above. The newer versions are incorporated into MarkLogic 8.0-6 and MarkLogic 7.0-6.8. See below for installation and download information.
MarkLogic 8.0-6 and MarkLogic 7.0-6.8 are available for download at: http://developer.marklogic.com/products.
For more information on MarkLogic text extraction and document conversion, see here:
Knowledgebase article here: https://help.marklogic.com/Knowledgebase/Article/View/447/
MarkLogic would like to thank Cisco Talos and Marcin Noga for making MarkLogic aware of the security issues described in this bulletin.
Additionally, MarkLogic would like to thank Lexmark and Iceni for their support.
See here for the Cisco Talos reports on these issues: http://www.talosintelligence.com/vulnerability-reports/.
For Iceni, see TALOS-2016-0200 (CVE-2016-8333) and TALOS-2016-0202 (CVE-2016-8335).
For Lexmark, see TALOS-2016-0185 (CVE-2016-5646), TALOS-2016-0173 (CVE-2016-4336), and TALOS-2016-0172 (CVE-2016-4335).