CVE-2022-32287: Apache UIMA directory traversal vulnerability

Apache UIMA released the latest security bulletin on November 3, which contains a directory traversal vulnerability (CVE-2022-32287).

Apache UIMA could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input in a FileUtil class used by the PEAR management component. An attacker could use a specially-crafted archive file to create files outside the designated target directory using carefully crafted ZIP entry names.

Apache Unstructured Information Management applications are software systems that analyze large volumes of unstructured information in order to discover knowledge that is relevant to an end user. An example UIM application might ingest plain text and identify entities, such as persons, places, organizations; or relations, such as works-for or located-at.

“A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names,” the developers explained in an advisory. “Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.”

CVE-2022-32287 flaw affects Apache UIMA version 3.3.0 and prior versions and was reported by Huangzhicong from the CodeSafe Team of Legendsec at Qi’anxin Group.

In this regard, we recommend that users upgrade Apache UIMA to the latest version (3.3.1) as soon as possible.