MarkLogic has released an update that addresses a security issue discovered in the MarkLogic document conversion mechanism. See below for more information about the MarkLogic release that patches this issue.
MarkLogic can convert PDF documents. This capability relies on functionality provided by Iceni (Argus) which is invoked explicitly through the function
xdmp:pdf-convert() or implicitly through use of the MarkLogic document conversion pipeline.
Iceni has incorporated fixes into their most recent release. MarkLogic has issued an update that includes these fixes.
The following CVEs for Iceni have been published:
|CVE||Description||CVSS v3 Score|
|CVE-2016-8385||PDF Code Execution Vulnerability||8.8|
|CVE-2016-8386||PDF Code Execution Vulnerability||8.8|
|CVE-2016-8387||Buffer Overflow Vulnerability||8.8|
|CVE-2016-8388||Heap Overwrite Vulnerability||8.8|
|CVE-2016-8389||Integer Overflow Vulnerability||8.8|
|CVE-2016-8715||PDF Code Execution Vulnerability||8.8|
These are considered to be vulnerabilities of “High” severity based on CVSS base scores in excess of 7.0. A carefully crafted file could be used to cause arbitrary code execution in some cases.
The latest version of Iceni (v7.1) patches the security issues listed above. The newer version is incorporated into MarkLogic 8.0-6.3. See below for installation and download information.
MarkLogic 8.0-6.3 is available for download at: http://developer.marklogic.com/products.
For more information on MarkLogic text extraction and document conversion, see here:
Knowledgebase article here: https://help.marklogic.com/Knowledgebase/Article/View/447/
MarkLogic would like to thank Cisco Talos and Marcin Noga for making MarkLogic aware of the security issues described in this bulletin.
Additionally, MarkLogic would like to thank Iceni for their support.