02.23.17

Background Information

MarkLogic has released an update that addresses a security issue discovered in the MarkLogic document conversion mechanism. See below for more information about the MarkLogic release that patches this issue.

Impact

MarkLogic can convert PDF documents. This capability relies on functionality provided by Iceni (Argus) which is invoked explicitly through the function xdmp:pdf-convert() or implicitly through use of the MarkLogic document conversion pipeline.

Iceni has incorporated fixes into their most recent release. MarkLogic has issued an update that includes these fixes.

The following CVEs for Iceni have been published:

CVE Description CVSS v3 Score
CVE-2016-8385 PDF Code Execution Vulnerability 8.8
CVE-2016-8386 PDF Code Execution Vulnerability 8.8
CVE-2016-8387 Buffer Overflow Vulnerability 8.8
CVE-2016-8388 Heap Overwrite Vulnerability 8.8
CVE-2016-8389 Integer Overflow Vulnerability 8.8
CVE-2016-8715 PDF Code Execution Vulnerability 8.8

These are considered to be vulnerabilities of “High” severity based on CVSS base scores in excess of 7.0. A carefully crafted file could be used to cause arbitrary code execution in some cases.

Resolution

The latest version of Iceni (v7.1) patches the security issues listed above. The newer version is incorporated into MarkLogic 8.0-6.3. See below for installation and download information.

Additional Information

MarkLogic 8.0-6.3 is available for download at: http://developer.marklogic.com/products.
For more information on MarkLogic text extraction and document conversion, see here:

Knowledgebase article here: https://help.marklogic.com/Knowledgebase/Article/View/447/

Acknowledgements

MarkLogic would like to thank Cisco Talos and Marcin Noga for making MarkLogic aware of the security issues described in this bulletin.

Additionally, MarkLogic would like to thank Iceni for their support.

This website uses cookies.

By continuing to use this website you are giving consent to cookies being used in accordance with the MarkLogic Privacy Statement.