11.01.16

Background Information

MarkLogic has released updates which address a security issue discovered in MarkLogic document conversion and text extraction mechanisms. See below for more information about the MarkLogic releases which patch this issue.

Impact

MarkLogic can convert documents such as Microsoft Office and Adobe PDF and can extract metadata and text from binary documents. These capabilities rely on functionality provided by Iceni (Argus) and Lexmark (Perceptive Document Filters) which are invoked explicitly through the API’s xdmp:document-filter() and xdmp:pdf-convert() or implicitly through use of the MarkLogic document conversion pipeline.

Iceni and Lexmark have issued security alerts for vulnerabilities in these products and have incorporated fixes into their most recent releases. MarkLogic has issued an update which includes these fixes.

The following CVEs for Iceni have been published:

  • CVE-2016-8333 – An exploitable stack-based buffer overflow vulnerability
  • CVE-2016-8335 – An exploitable stack based buffer overflow vulnerability

Lexmark has published the following CVEs:

  • CVE-2016-5646 – An exploitable heap overflow vulnerability exists in the Compound Binary Format (CBFF) parser functionality of the Lexmark Perceptive Document Filters Library
  • CVE-2016-4336 – An exploitable out of bounds write vulnerability exists in the Bzip2 parsing of the Perceptive Document Filters
  • CVE-2016-4335 – An exploitable buffer overflow vulnerability exists in the XLS parsing of the Perceptive Document Filters conversion functionality

These are considered to be vulnerabilities of “High” severity based on CVSS base scores in excess of 7.0. A carefully crafted pdf, CBFF, Bzip2, or XLS file could be used to cause a buffer overflow which can result in arbitrary code execution.

Resolution

The latest versions of Iceni (v6.6.5) and Lexmark ISYS (v11.3) patch the security issues listed above. The newer versions are incorporated into MarkLogic 8.0-6 and MarkLogic 7.0-6.8. See below for installation and download information.

Additional Information

MarkLogic 8.0-6 and MarkLogic 7.0-6.8 are available for download at: http://developer.marklogic.com/products.

Lexmark provides more information on this security issue here. Iceni CVE information is available here and here.

For more information on MarkLogic text extraction and document conversion, see here:

Knowledgebase article here: https://help.marklogic.com/Knowledgebase/Article/View/447/

Acknowledgements

MarkLogic would like to thank Cisco Talos and Marcin Noga for making MarkLogic aware of the security issues described in this bulletin.

Additionally, MarkLogic would like to thank Lexmark and Iceni for their support.

See here for the Cisco Talos reports on these issues: http://www.talosintelligence.com/vulnerability-reports/.

For Iceni, see TALOS-2016-0200 (CVE-2016-8333) and TALOS-2016-0202 (CVE-2016-8335).

For Lexmark, see TALOS-2016-0185 (CVE-2016-5646), TALOS-2016-0173 (CVE-2016-4336), and TALOS-2016-0172 (CVE-2016-4335).

This website uses cookies.

By continuing to use this website you are giving consent to cookies being used in accordance with the MarkLogic Privacy Statement.