alfresco / alfresco-transform-core Goto Github PK

License: GNU Lesser General Public License v3.0

Dockerfile 0.81% Java 92.09% HTML 0.52% Shell 0.28% JavaScript 0.06% CSS 0.01% Rich Text Format 6.23%

alfresco-transform-core's Introduction

Alfresco Transform Core

Contains the common transformer (T-Engine) code, plus a few implementations.

When upgrading to 3.0.0, you will find that a number of classes in the alfresco-transform-model have moved. See the alfresco-transform-model README

Sub-projects

model - library packaged as a jar file which contains the data model of json configuration files and messages sent between clients, T-Engines and T-Router. Also contains code to to combine and then work out which transform to use for a combination of source and target mimetypes and transform options.
engines/base - contains code common to t-engines, packaged as a jar. README
engines/<name> - multiple T-Engines, which extend the engines/base; each one builds a SpringBoot jar and a Docker image
deprecated/alfresco-base-t-engine - The original t-engine base, which may still be used, but has been replaced by the simpler engines/base.

Documentation

docs - provides additional documentation.
ACS Packaging docs folder
If you're interested in the Alfresco Transform Service (ATS) see https://docs.alfresco.com/transform/concepts/transformservice-overview.html

Building and testing

The project can be built by running the Maven command:

mvn clean install -Plocal,docker-it-setup

The local Maven profile builds local Docker images for each T-Engine.

Run in Docker

Execute the following commands to run a t-engine in detached mode on port 8090 and to show the logs:

docker run -d -p 8090:8090 --name <t-engine-project-name> <t-engine-project-name>:latest
docker logs -f <t-engine-project-name>

Run the Spring Boot Application

Since a T-Engine is a Spring Boot application, it might be helpful to run it as such during development by executing one of the following:

mvn spring-boot:run
java -jar target/helloworld-t-engine-{version}.jar in the project directory.
Run or debug the application org.alfresco.transform.base.Application from within an IDE.

Test page

The application will be accessible on port 8090 and the test page is: http://localhost:8090/. The config is available on http://localhost:8090/transform/config.

Artifacts

Maven

The artifacts can be obtained by:

downloading from Alfresco repository
getting as Maven dependency by adding the dependency to your pom file:

<dependency>
    <groupId>org.alfresco</groupId>
    <artifactId>alfresco-transform-model</artifactId>
    <version>version</version>
</dependency>

<dependency>
    <groupId>org.alfresco</groupId>
    <artifactId>alfresco-base-t-engine</artifactId>
    <version>version</version>
</dependency>

and Alfresco Maven repository:

<repository>
  <id>alfresco-maven-repo</id>
  <url>https://artifacts.alfresco.com/nexus/content/groups/public</url>
</repository>

Docker

The core T-Engine images are available on Docker Hub.

Either as a single Core AIO (All-In-One) T-Engine:

alfresco/alfresco-transform-core-aio

Or as a set of individual T-Engines:

You can find examples of using Core AIO in the reference ACS Deployment for Docker Compose:

You can find examples of using the individual T-Engines in the reference ACS Deployment for Helm / Kubernetes:

Release Process

For a complete walk-through check out the build-and-release.MD under the docs folder.

Contributing guide

Please use this guide to make a contribution to the project.

alfresco-transform-core's People

Contributors

Stargazers

Watchers

alfresco-transform-core's Issues

CVE-2018-14042 (Medium) detected in bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

CVE-2018-14042 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

bootstrap-3.2.0-3.3.0.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.2.0-3.3.0/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/the mit license - mit.html

Path to vulnerable library: /alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/the mit license - mit.html,/alfresco-transform-core/alfresco-docker-libreoffice/target/generated-resources/licenses/mit license - mit-license.html,/alfresco-transform-core/alfresco-docker-imagemagick/target/generated-resources/licenses/mit license - mit-license.html,/alfresco-transform-core/alfresco-docker-tika/target/generated-resources/licenses/lgpl, v2.1 or later - lgpl-license.html,/alfresco-transform-core/alfresco-docker-transform-misc/target/generated-resources/licenses/the mit license - mit.html

Dependency Hierarchy:

❌ bootstrap-3.2.0-3.3.0.min.js (Vulnerable Library)

bootstrap-3.3.7-3.3.13.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-libreoffice/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Path to vulnerable library: /alfresco-transform-core/alfresco-docker-libreoffice/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-transform-misc/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-imagemagick/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-tika/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Dependency Hierarchy:

❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)

Found in HEAD commit: d5dd0b84d8889d0b48363f057ab4e0aa0a81c8aa

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14042

Release Date: 2018-07-13

Fix Resolution: 4.1.2

ImageMagick Preview Resoultion is not the same for all file formats

When using Alfresco 6.2.0 with ImageMagick (latest) im getting different Preview Resoultion based on different file formats. PNG & JPEG generate previews in 1024 px (as expected) while other file formats like PDF generates a preview in 841 px or 842 px and TXT in 792 px.

Im using Alfresco Community Version 6.2.0 and the helm chart from https://github.com/Alfresco/acs-community-deployment.
For ImageMagick im using the latest tag of https://hub.docker.com/r/alfresco/alfresco-imagemagick/tags

In my code im using org.alfresco.repo.rendition2.RenditionService2 to render the preview.
My Bean configuration:

<bean id="xxxx" class="org.alfresco.repo.rendition2.RenditionDefinition2Impl">
<constructor-arg name="renditionName" value="xxx"/>
<constructor-arg name="targetMimetype" value="image/png"/>
<constructor-arg name="transformOptions">
<map>
<entry key="resizeWidth" value="1024"/>
<entry key="resizeHeight" value="1024"/>
<entry key="allowEnlargement" value="false" />
<entry key="maintainAspectRatio" value="true"/>
<entry key="thumbnail" value="true"/>
<entry key="timeout" value="${system.thumbnail.definition.default.timeoutMs}" />
</map>
</constructor-arg>
<constructor-arg name="registry" ref="renditionDefinitionRegistry2"/>
</bean>

I used the same code and configuration in 6.1.2 and got the expected result that all file formats are at 1024 px.

I created 3 simple documents i can reproduce this issue with:
I uploaded them to v6.2.0 and v.6.1.2 and downloaded the preview with those results:

Test.pdf
Test.png
Test.txt
6 1 2ThumbnailPdf
6 1 2ThumbnailPng
6 1 2ThumbnailTxt
6 2 0ThumbnailPdf
6 2 0ThumbnailPng
6 2 0ThumbnailTxt

Please let me know if you need more information. I dont work reagulary or much with Alfresco so im not sure which other information may be necessary.

CVE-2016-6812 (Medium) detected in cxf-rt-transports-http-3.0.10.jar

CVE-2016-6812 - Medium Severity Vulnerability

Vulnerable Library - cxf-rt-transports-http-3.0.10.jar

Apache CXF Runtime HTTP Transport

Library home page: http://cxf.apache.org

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/cxf/cxf-rt-transports-http/3.0.10/cxf-rt-transports-http-3.0.10.jar

Dependency Hierarchy:

alfresco-data-model-8.8.jar (Root Library)
- chemistry-opencmis-client-impl-1.0.0.jar
  - ❌ cxf-rt-transports-http-3.0.10.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

Publish Date: 2017-08-10

URL: CVE-2016-6812

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6812

Release Date: 2017-08-10

Fix Resolution: 3.0.12,3.1.9

Step up your Open Source Security Game with WhiteSource here

temp files deleted while still opened under high load results in full root filesystem

using the alfresco-transform-core-aio-boot-2.4.0 the on a system having high throughput we observe deletions of tempfiles while they are still opened by the same process. This is an issue because the disk space will not be freed and it's just a question of time until the root filesystem is full.

In a running system the alfresco-transform-core-aio-boot process writes temp files e.g. to

/tmp/tomcat.8090.11347239618847497578/work/Tomcat/localhost/ROOT

checking the proc filesystem shows that the kernel keeps hundreds of files which are deleted but still opened by the alfresco-transform-core-aio-boot process:

e.g.:

ls -l --time-style="+%Y-%m-%d" /proc/$ALF_PID/fd|grep upload|grep deleted
lr-x------ 1 alfresco alfresco 64 2021-12-15 96 -> /tmp/tomcat.8090.11347239618847497578/work/Tomcat/localhost/ROOT/upload_8be27646_b262_4a90_a03f_5d4f5c53c025_01506408.tmp (deleted)

[snip]

This means the files are still kept on the filesystem until the process ends.

Only work around for now is to restart the alfresco-transform-core-aio-boot process regularily.

CVE-2018-12418 (Medium) detected in junrar-0.7.jar

CVE-2018-12418 - Medium Severity Vulnerability

Vulnerable Library - junrar-0.7.jar

rar decompression library in plain java

Library home page: https://github.com/junrar/junrar

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/com/github/junrar/junrar/0.7/junrar-0.7.jar

Dependency Hierarchy:

tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
- ❌ junrar-0.7.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

Archive.java in Junrar before 1.0.1, as used in Apache Tika and other products, is affected by a denial of service vulnerability due to an infinite loop when handling corrupt RAR files.

Publish Date: 2018-06-14

URL: CVE-2018-12418

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-12418

Release Date: 2018-06-14

Fix Resolution: 1.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14719 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-14719 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.2/jackson-databind-2.8.11.2.jar

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

Typo in README

there is a typo in README file in project https://github.com/Alfresco/alfresco-transform-core/blob/3.1.0/README.md, the name of deprecated project is wrong:

deprecated/alfresco-base-t-engine - The original t-engine base, which may still be used

wrong: deprecated/alfresco-base-t-engine - The original t-engine base, which may still be used
correct: deprecated/alfresco-transformer-base - The original t-engine base, which may still be used

WS-2009-0001 (Low) detected in commons-codec-1.10.jar

WS-2009-0001 - Low Severity Vulnerability

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar

Dependency Hierarchy:

alfresco-core-7.3.jar (Root Library)
- ❌ commons-codec-1.10.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2018-15756 (High) detected in spring-web-4.3.18.RELEASE.jar

CVE-2018-15756 - High Severity Vulnerability

Vulnerable Library - spring-web-4.3.18.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/spring-web/4.3.18.RELEASE/spring-web-4.3.18.RELEASE.jar,/root/.m2/repository/org/springframework/spring-web/4.3.18.RELEASE/spring-web-4.3.18.RELEASE.jar,/root/.m2/repository/org/springframework/spring-web/4.3.18.RELEASE/spring-web-4.3.18.RELEASE.jar,/root/.m2/repository/org/springframework/spring-web/4.3.18.RELEASE/spring-web-4.3.18.RELEASE.jar,/root/.m2/repository/org/springframework/spring-web/4.3.18.RELEASE/spring-web-4.3.18.RELEASE.jar

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ spring-web-4.3.18.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: 2018-10-18

URL: CVE-2018-15756

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-15756

Release Date: 2018-10-18

Fix Resolution: 4.3.20,5.0.10,5.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2018-8039 (High) detected in cxf-rt-transports-http-3.0.10.jar

CVE-2018-8039 - High Severity Vulnerability

Vulnerable Library - cxf-rt-transports-http-3.0.10.jar

Apache CXF Runtime HTTP Transport

Library home page: http://cxf.apache.org

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/cxf/cxf-rt-transports-http/3.0.10/cxf-rt-transports-http-3.0.10.jar

Dependency Hierarchy:

alfresco-data-model-8.8.jar (Root Library)
- chemistry-opencmis-client-impl-1.0.0.jar
  - ❌ cxf-rt-transports-http-3.0.10.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Publish Date: 2018-07-02

URL: CVE-2018-8039

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8039

Release Date: 2018-02-06

Fix Resolution: 3.1.16,3.2.5

Step up your Open Source Security Game with WhiteSource here

CVE-2017-12624 (Medium) detected in cxf-core-3.0.16.jar, cxf-rt-frontend-jaxrs-3.0.16.jar

CVE-2017-12624 - Medium Severity Vulnerability

Vulnerable Libraries - cxf-core-3.0.16.jar, cxf-rt-frontend-jaxrs-3.0.16.jar

cxf-core-3.0.16.jar

Apache CXF Core

Library home page: http://cxf.apache.org

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar

Dependency Hierarchy:

tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
- cxf-rt-rs-client-3.0.16.jar
  - ❌ cxf-core-3.0.16.jar (Vulnerable Library)

cxf-rt-frontend-jaxrs-3.0.16.jar

Apache CXF Runtime JAX-RS Frontend

Library home page: http://cxf.apache.org

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/cxf/cxf-rt-frontend-jaxrs/3.0.16/cxf-rt-frontend-jaxrs-3.0.16.jar

Dependency Hierarchy:

tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
- cxf-rt-rs-client-3.0.16.jar
  - ❌ cxf-rt-frontend-jaxrs-3.0.16.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Publish Date: 2017-11-14

URL: CVE-2017-12624

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12624

Release Date: 2017-11-14

Fix Resolution: 3.2.1, 3.1.14

Step up your Open Source Security Game with WhiteSource here

CVE-2015-6748 (Medium) detected in jsoup-1.7.2.jar

CVE-2015-6748 - Medium Severity Vulnerability

Vulnerable Library - jsoup-1.7.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/jsoup/jsoup/1.7.2/jsoup-1.7.2.jar

Dependency Hierarchy:

tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
- grib-4.5.5.jar
  - ❌ jsoup-1.7.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

Publish Date: 2017-09-25

URL: CVE-2015-6748

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6748

Release Date: 2017-09-25

Fix Resolution: 1.8.3.

Step up your Open Source Security Game with WhiteSource here

Dependabot couldn't authenticate with https://artifacts.alfresco.com/nexus/content/groups/internal

Dependabot couldn't authenticate with https://artifacts.alfresco.com/nexus/content/groups/internal.

Dependabot tried to authenticate with the details you previously provided, but authentication failed. If they are no longer valid you will need to provide Dependabot with new credentials.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

CVE-2018-11797 (Medium) detected in pdfbox-2.0.8.jar

CVE-2018-11797 - Medium Severity Vulnerability

Vulnerable Library - pdfbox-2.0.8.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: http://www.apache.org/pdfbox-parent/pdfbox/

Path to dependency file: /alfresco-transform-core/alfresco-docker-libreoffice/pom.xml

Path to vulnerable library: 2/repository/org/apache/pdfbox/pdfbox/2.0.8/pdfbox-2.0.8.jar,/root/.m2/repository/org/apache/pdfbox/pdfbox/2.0.8/pdfbox-2.0.8.jar

Dependency Hierarchy:

❌ pdfbox-2.0.8.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Publish Date: 2018-10-05

URL: CVE-2018-11797

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11797

Release Date: 2019-04-08

Fix Resolution: 1.8.16,2.0.12

Step up your Open Source Security Game with WhiteSource here

WS-2016-0090 (Medium) detected in jquery-1.12.4.min.js

WS-2016-0090 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Path to vulnerable library: /alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-transform-misc/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-imagemagick/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-tika/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html,/alfresco-transform-core/alfresco-docker-libreoffice/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Dependency Hierarchy:

❌ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: d5dd0b84d8889d0b48363f057ab4e0aa0a81c8aa

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

CVE-2018-5968 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-5968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Step up your Open Source Security Game with WhiteSource here

WS-2018-0601 (Medium) detected in commons-compress-1.19.jar

WS-2018-0601 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.19.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar,epository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar

Dependency Hierarchy:

tika-parsers-1.21-20190624-alfresco-patched.jar (Root Library)
- ❌ commons-compress-1.19.jar (Vulnerable Library)

Found in HEAD commit: a4fc989fc8a02b01a58b219666424e7d6c5adf37

Vulnerability Details

The example Expander class in Apache Commons Compress before 1.18 has been vulnerable to a path traversal in the edge case that happens when the target directory has a sibling directory and the name of the target directory is a prefix of the sibling directory's name.

Publish Date: 2019-09-26

URL: WS-2018-0601

CVSS 2 Score Details (6.0)

Base Score Metrics not available

CVE-2019-12402 (Medium) detected in commons-compress-1.18.jar

CVE-2019-12402 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.18.jar

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar,2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy:

❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: 8142836caf3a42dc77a0e74346e16bbc3eaf9c7b

Vulnerability Details

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Publish Date: 2019-08-30

URL: CVE-2019-12402

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402

Release Date: 2019-08-30

Fix Resolution: 1.19

NoClassDefFoundError in AIO transformer

The All-in-One transformer is throwing an error when handling some transformations that point to a potentially missing class file / dependency:

2022-06-08 10:25:52.504 ERROR 1 --- [nio-8090-exec-3] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Handler dispatch failed; nested exception is java.lang.NoClassDefFoundError: com/microsoft/schemas/office/x2006/encryption/EncryptionDocument$Factory] with root cause 
java.lang.NoClassDefFoundError: com/microsoft/schemas/office/x2006/encryption/EncryptionDocument$Factory
	at org.apache.poi.poifs.crypt.agile.AgileEncryptionInfoBuilder.parseDescriptor(AgileEncryptionInfoBuilder.java:104) ~[poi-ooxml-4.1.2.jar!/:4.1.2]
	at org.apache.poi.poifs.crypt.agile.AgileEncryptionInfoBuilder.initialize(AgileEncryptionInfoBuilder.java:40) ~[poi-ooxml-4.1.2.jar!/:4.1.2]
	at org.apache.poi.poifs.crypt.EncryptionInfo.<init>(EncryptionInfo.java:152) ~[poi-4.1.2.jar!/:4.1.2]
	at org.apache.poi.poifs.crypt.EncryptionInfo.<init>(EncryptionInfo.java:101) ~[poi-4.1.2.jar!/:4.1.2]
	at org.apache.tika.parser.microsoft.OfficeParser.parse(OfficeParser.java:241) ~[tika-parsers-standard-package-2.2.1.jar!/:2.2.1]
	at org.apache.tika.parser.microsoft.OfficeParser.parse(OfficeParser.java:173) ~[tika-parsers-standard-package-2.2.1.jar!/:2.2.1]
	at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:289) ~[tika-core-2.2.1.jar!/:2.2.1]
	at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:289) ~[tika-core-2.2.1.jar!/:2.2.1]
	at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:289) ~[tika-core-2.2.1.jar!/:2.2.1]
	at org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:185) ~[tika-core-2.2.1.jar!/:2.2.1]
	at org.alfresco.transformer.executors.Tika.transform(Tika.java:693) ~[alfresco-transform-tika-2.5.7.jar!/:2.5.7]
	at org.alfresco.transformer.executors.Tika.transform(Tika.java:673) ~[alfresco-transform-tika-2.5.7.jar!/:2.5.7]
	at org.alfresco.transformer.executors.Tika.transform(Tika.java:617) ~[alfresco-transform-tika-2.5.7.jar!/:2.5.7]
	at org.alfresco.transformer.executors.TikaJavaExecutor.call(TikaJavaExecutor.java:141) ~[alfresco-transform-tika-2.5.7.jar!/:2.5.7]
	at org.alfresco.transformer.executors.TikaJavaExecutor.transform(TikaJavaExecutor.java:131) ~[alfresco-transform-tika-2.5.7.jar!/:2.5.7]
	at org.alfresco.transformer.executors.Transformer.transform(Transformer.java:70) ~[alfresco-transformer-base-2.5.7.jar!/:2.5.7]
	at org.alfresco.transformer.AIOController.transformImpl(AIOController.java:124) ~[classes!/:2.5.7]
	at org.alfresco.transformer.AbstractTransformerController.transform(AbstractTransformerController.java:213) ~[alfresco-transformer-base-2.5.7.jar!/:2.5.7]
	at jdk.internal.reflect.GeneratedMethodAccessor59.invoke(Unknown Source) ~[na:na]
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.3.15.jar!/:5.3.15]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-embed-websocket-9.0.56.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) ~[spring-boot-actuator-2.6.3.jar!/:2.6.3]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar!/:5.3.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:769) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1735) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.58.jar!/:na]
	at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]

When looking at the JAR in question within the Docker image, it does contain the expected ooxml-schemas JAR which "should" contain the relevant class, but it apparently failed to be loaded. The problem seems to be that the expected class in the POI dependencies originate from version 4.1.2 of poi-ooxml-schemas, while the AIO transformer explicitly only contains version 1.4 of ooxml-schemas (the obsolete predecessor artifact). Looking at it, it also appears that the granular TIKA transformer is also affected, since the AIO only aggregates its dependencies.

Zombie processes in LibreOffice Transformer container

Running the LibreOffice Transformer container with image version 2.3.6 on Ubuntu 20.04 LTS using a Docker Compose deployment of ACS Community 6.2 GA, we have observed soffice zombie processes accumulating over time.

When logging in to the customer environment, I was greated by the following:

Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 11 Feb 2021 03:04:17 PM UTC

  System load:                      0.12
  Usage of /:                       28.6% of 97.44GB
  Memory usage:                     74%
  Swap usage:                       17%
  Processes:                        271
  Users logged in:                  0
  IPv4 address for br-2fb05fc25e4c: 172.30.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          172.23.224.105

  => There are 11 zombie processes.

Checking for defunct processes yielded:

alfadmin@sthjnalf001:~$ ps axo stat,ppid,pid,comm | grep -w defunct
Z       1685    3073 soffice.bin <defunct>
Z       1685 1013780 soffice.bin <defunct>
Z       1685 1060187 soffice.bin <defunct>
Z       1685 1604515 soffice.bin <defunct>
Z       1685 1839369 soffice.bin <defunct>
Z       1685 1982672 soffice.bin <defunct>
Z       1685 2342380 soffice.bin <defunct>
Z       1685 2459218 soffice.bin <defunct>
Z       1685 2461051 soffice.bin <defunct>
Z       1685 2463188 soffice.bin <defunct>
Z       1685 2566739 soffice.bin <defunct>

A simple docker-compose restart <libreoffice-service-name> clears all these processes.

CVE-2019-0199 (High) detected in tomcat-embed-core-8.5.32.jar

CVE-2019-0199 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.32.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /alfresco-transform-core/alfresco-transformer-base/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar,/root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar,/root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar,/root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar,/root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.32/tomcat-embed-core-8.5.32.jar

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - spring-boot-starter-tomcat-1.5.15.RELEASE.jar
    - ❌ tomcat-embed-core-8.5.32.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-04-10

URL: CVE-2019-0199

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199

Release Date: 2019-04-10

Fix Resolution: 8.5.38,9.0.14

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.12.4.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Dependency Hierarchy:

❌ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: d5dd0b84d8889d0b48363f057ab4e0aa0a81c8aa

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

CVE-2018-14718 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-14718 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

Licence for transformers in community version

License displayed during start of every transformer requires written permission from Alfresco Software, is this agreement required for running community version, or it's part of enterprise version?

License rights for this program may be obtained from Alfresco Software, Ltd. pursuant to a written agreement and any use of this program without such an agreement is prohibited.

CVE-2018-19360 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-19360 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2015-6644 (Low) detected in bcprov-jdk15on-1.62.jar

CVE-2015-6644 - Low Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.62.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: 2/repository/org/bouncycastle/bcprov-jdk15on/1.62/bcprov-jdk15on-1.62.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.62.jar (Vulnerable Library)

Found in HEAD commit: 30ed758b9524af91ee78d5a1cfd436b2026c9cf6

Vulnerability Details

Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.

Publish Date: 2016-01-06

URL: CVE-2015-6644

CVSS 3 Score Details (3.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6644

Release Date: 2016-01-06

Fix Resolution: Bouncy Castle in Android - 5.1.1, 2016-01-01

CVE-2018-20677 (Medium) detected in bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

bootstrap-3.2.0-3.3.0.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.2.0-3.3.0/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/the mit license - mit.html

Dependency Hierarchy:

❌ bootstrap-3.2.0-3.3.0.min.js (Vulnerable Library)

bootstrap-3.3.7-3.3.13.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-libreoffice/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Dependency Hierarchy:

❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)

Found in HEAD commit: d5dd0b84d8889d0b48363f057ab4e0aa0a81c8aa

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Can't build in Windows 10

When trying to compile the project I am always having the following error:

Plugin org.codehaus.mojo:license-maven-plugin:2.0.1.alfresco-2 or one of its dependencies could not be resolved: Could not find artifact org.codehaus.mojo:license-maven-plugin:jar:2.0.1.alfresco-2 in central (https://repo.maven.apache.org/maven2) -> [Help 1]

Regards.

Alfresco 7.1 Does not extract text from PDF/A of large files

(I'm not sure exactly which repo I ask this in).

I've been trying to get Alfresco to extract texts from PDF/A files larger than 25 MB and I haven't been successful. I've read countless pages of documentation, installed different versions on different operating systems. I tested several recommended settings, removed all the limits I could find. All of this without success.

At the moment I'm using:

Alfresco version 7.1
Search Services 2.0.2
Ubuntu 20.04 (compatible version according to documentation).
Installation was done through Ansible. Following all the documentation.

Alfresco can extract text from PDF files smaller than 25MB, but none larger than that. The logs do not return any problems regarding this.

I know this from the logs, here 2 PDFs of different sizes were sent. But only one extracted the text:

Goal: Be able to search for terms that exist in PDF/A files larger than 25MB.

Some settings I've tried:

### Time out configured for all extractor and all mimetypes
content.metadataExtracter.default.timeoutMs=3600000

### Maximum size of a document to process - configured for PdfBoxMetadataExtracter , pdf files
content.metadataExtracter.pdf.maxDocumentSizeMB=900

### Maximum number of concurrent extractions - configured for PdfBoxMetadataExtracter , pdf files
content.metadataExtracter.pdf.maxConcurrentExtractionsCount=15


content.transformer.default.timeoutMs=3600000
content.transformer.default.txt.*.maxSourceSizeKBytes=1073741824
content.transformer.JodConverter.maxSourceSizeKBytes=1073741824
content.transformer.JodConverter.extensions.doc.pdf.maxSourceSizeKBytes=1073741824
content.transformer.JodConverter.extensions.doc.pdf.maxSourceSizeKBytes.use.asyncRule=1073741824
content.transformer.default.extensions.pdf.swf.maxSourceSizeKBytes.use.index=1073741824
content.transformer.TikaAuto.timeoutMs.use.index=3600000
content.transformer.default.extensions.doc.txt.maxSourceSizeKBytes=1073741824
content.transformer.TikaAuto.timeoutMs=3600000
content.transformer.default.extensions.pdf.swf.maxSourceSizeKBytes=1073741824
content.transformer.default.extensions.pdf.swf.maxSourceSizeKBytes.use.webpreview=1073741824
content.transformer.PdfBox.extensions.pdf.txt.maxSourceSizeKBytes=1073741824
content.transformer.TikaAuto.extensions.pdf.txt.maxSourceSizeKBytes=1073741824

I followed the instructions on this page:
export TRANSFORMER_ROUTES_ADDITIONAL_custom="/etc/opt/alfresco/content-services/classpath/alfresco/extension/transform/pipelines/custom-pipeline-file.json"

And I created the file custom-pipeline-file.json with the most varied configurations, here are some that I tried:

{
  "overrideSupported": [
    {
      "maxSourceSizeBytes": 1073741824
    }
  ]
}

{
  "transformers": [
    {
      "transformerName": "tika",
      "supportedSourceAndTargetList": [
        {"sourceMediaType": "application/pdf", "maxSourceSizeBytes": 1073741824, "targetMediaType": "text/plain" },
        {"sourceMediaType": "application/pdf", "priority": 40, "targetMediaType": "text/plain" }
      ]
    }
  ]
}

After digging deeper into this I got a configuration in the file I created custom-pipeline-file.json which gave a different result. Here's the configuration:

{
     "transformers": [
        {
            "transformerName": "PdfBox",
            "supportedSourceAndTargetList": [
                 {"sourceMediaType": "application/pdf", "maxSourceSizeBytes": 1073741824, "targetMediaType": "text/plain"}
            ],
            "transformOptions": [
                "pdfboxOptions"
            ]
        }]
}

And I get the error below in the logs:

2022-10-25 02:44:40.172 ERROR 41834 --- [nio-8090-exec-7] o.a.transformer.TransformController      : No transforms were able to handle the request

org.alfresco.transform.exceptions.TransformException: No transforms were able to handle the request
    at org.alfresco.transformer.AbstractTransformerController.getTransformerName(AbstractTransformerController.java:444) ~[alfresco-transformer-base-2.5.3.jar!/:2.5.3]
    at org.alfresco.transformer.AbstractTransformerController.getTransformerName(AbstractTransformerController.java:421) ~[alfresco-transformer-base-2.5.3.jar!/:2.5.3]
    at org.alfresco.transformer.AbstractTransformerController.transform(AbstractTransformerController.java:172) ~[alfresco-transformer-base-2.5.3.jar!/:2.5.3]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1064) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.3.9.jar!/:5.3.9]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-embed-websocket-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) ~[spring-boot-actuator-2.5.4.jar!/:2.5.4]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar!/:5.3.9]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1726) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.52.jar!/:na]
    at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]

I know this is probably a configuration issue rather than a bug, but I've had a lot of trouble getting this to work with just the documentation provided.

temp files not deleted in many exceptional cases

In Alfresco there is a temp file provider that cleans up temp files that have not been cleaned properly within 24h. No such system exists in this project.

alfresco-transform-core/alfresco-transformer-base/src/main/java/org/alfresco/transformer/AbstractTransformerController.java

Line 344 in 60eb104

final File targetFile = buildFile(targetFilename);

a temp file is created to hold the transform results/target. Similarly a source file is produced near the top of this transform() method.

If any of the exceptional conditions happen that result in the following lines of code: 364, 373, 389, 398, 407 executing, the transform method returns without a finally and leave the source and target files on disk and they are NEVER cleaned up.

The transform implementation that starts on line 165 (handles REST calls) doesn't appear to clean up temp files ever.

Error parsing HTTP request

Hi,
I'm getting the error below when starting Transform Core 2.4 for alfresco community version 7.0.0.

2021-06-02 14:52:30.101 INFO 1 --- [nio-8090-exec-1] o.apache.coyote.http11.Http11Processor : Error parsing HTTP request header Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x030x010xaa0x010x000x010xa60x030x030x990x8a0xbeVk0xff0x0d-0xf90xb9;0x880xc030x8bja0xb40xdf0xa40xcf0x9e0xd5!u:50xbd0x0fN0xddm]. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na] 2021-06-02 14:52:30.103 INFO 1 --- [nio-8090-exec-2] o.apache.coyote.http11.Http11Processor : Error parsing HTTP request header Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x030x010xaa0x010x000x010xa60x030x030xa8.0xa10xc60x870xb20x19<y&0xe90xa60x030x18^0xc3>0x01u0x0eb&0xcf1$\0xc40x9f0xc6l0xfau]. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.36.jar!/:9.0.36] at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

CVE-2019-14262 (High) detected in metadata-extractor-2.11.0.jar

CVE-2019-14262 - High Severity Vulnerability

Vulnerable Library - metadata-extractor-2.11.0.jar

Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files.

Library home page: https://drewnoakes.com/code/exif/

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/com/drewnoakes/metadata-extractor/2.11.0/metadata-extractor-2.11.0.jar

Dependency Hierarchy:

tika-parsers-1.21-20190624-alfresco-patched.jar (Root Library)
- ❌ metadata-extractor-2.11.0.jar (Vulnerable Library)

Found in HEAD commit: a4fc989fc8a02b01a58b219666424e7d6c5adf37

Vulnerability Details

MetadataExtractor 2.1.0 allows stack consumption.

Publish Date: 2019-07-25

URL: CVE-2019-14262

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2019-11358 (Medium) detected in jquery-1.12.4.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Dependency Hierarchy:

❌ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: d5dd0b84d8889d0b48363f057ab4e0aa0a81c8aa

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

CVE-2018-1324 (Medium) detected in commons-compress-1.14.jar

CVE-2018-1324 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.14.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, LZ4, Brotli and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: http://commons.apache.org/proper/commons-compress/

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/commons/commons-compress/1.14/commons-compress-1.14.jar

Dependency Hierarchy:

tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
- ❌ commons-compress-1.14.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-03-16

URL: CVE-2018-1324

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324

Release Date: 2018-03-16

Fix Resolution: 1.16

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14720 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-14720 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

Data Encryption in Transit

Hello,

Is it possible to configure the transform service with enabled SSL? If yes, is there a documentaion for it?

Thanks

CVE-2018-19361 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-19361 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

Unicode transfromation from txt to pdf not supported

T-Engine: transform-misc
Version: 2.1.0
Task : transformation of a txt file (unicode) to pdf failed
Error Information:

31 Oct 2019 11:16:56 510 txt pdf ERROR 本文档库子文件夹权限设置规范 688 bytes 274 ms textToPdf Failed 09311139 textToPdf returned a 400 status Miscellaneous Transformers - U+76EE ('.notdef') is not available in this font Helvetica encoding: WinAnsiEncoding http://transform-misc:8090/transform targetExtension=pdf sourceMimetype=text/plain sourceExtension=txt targetMimetype=application/pdf

Analysis:
The text file contains Unicode characters, which lead to the error.
I have confirmed this error with other Unicode characters, resulting to the same error.

How to improve unicode compatibility of the transform services? Switch the font file or change the WinAnsiEncoding?

Missing log configuration defaults for verbose third-party packages

In previous versions of Alfresco Content Services which included in-process transformers, the log configuration already included necessary configuration to avoid common and expectable warnings, e.g. from PDFBox, to spam the application logs. The TIKA and AIO transformers are missing similar log configuration defaults. With various documents in an AIO-based setup, we see the following messages extremely frequently:

WARN 1 --- [nio-8090-exec-8] org.apache.fontbox.ttf.CmapSubtable      : cmap format 4 subtable is empty
WARN 1 --- [nio-8090-exec-9] o.a.pdfbox.pdmodel.font.PDType0Font      : No Unicode mapping for CID+86 (86) in font TWRVUV+ArialUnicodeMS-Identity-H
WARN 1 --- [nio-8090-exec-7] o.a.pdfbox.pdmodel.font.PDType1Font      : Using fallback font LiberationSans for Helvetica
WARN 1 --- [nio-8090-exec-3] org.apache.pdfbox.pdfparser.COSParser    : The stream doesn't provide any stream length, using fallback readUntilEnd, at offset 164607
WARN 1 --- [nio-8090-exec-3] org.apache.pdfbox.pdfparser.COSParser    : Unexpected XRefTable Entry: 0000165164 00000
WARN 1 --- [nio-8090-exec-4] org.apache.pdfbox.pdfparser.COSParser    : The end of the stream doesn't point to the correct offset, using workaround to read the stream, stream start position: 1099, length: 0, expected end position: 1099
WARN 1 --- [nio-8090-exec-6] org.apache.fontbox.ttf.TTFParser         : Skip table 'kern' which goes past the file size; offset: 0, size: 102260, font size: 12436
WARN 1 --- [nio-8090-exec-1] org.apache.pdfbox.pdmodel.font.PDFont    : Invalid ToUnicode CMap in font MalgunGothicRegular
WARN 1 --- [nio-8090-exec-1] org.apache.pdfbox.pdmodel.font.PDFont    : Using predefined identity CMap instead

and so on...
It seems prudent to include the following log configuration defaults based on what was previously provided in ACS and what warnings we have observed:

logging.level.org.apache.fontbox.ttf=ERROR
logging.level.org.apache.pdfbox.cos.COSDocument=ERROR
logging.level.org.apache.pdfbox.pdfparser=ERROR
logging.level.org.apache.pdfbox.filter.FlateFilter=ERROR
logging.level.org.apache.pdfbox.pdmodel.font=ERROR
logging.level.org.apache.pdfbox.pdmodel.font.PDSimpleFont=FATAL
logging.level.org.apache.pdfbox.pdmodel.font.PDFont=FATAL
logging.level.org.apache.pdfbox.pdmodel.font.PDCIDFont=FATAL

CVE-2018-14041 (Medium) detected in bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

CVE-2018-14041 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

bootstrap-3.2.0-3.3.0.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.2.0-3.3.0/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/the mit license - mit.html

Dependency Hierarchy:

❌ bootstrap-3.2.0-3.3.0.min.js (Vulnerable Library)

bootstrap-3.3.7-3.3.13.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-libreoffice/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Dependency Hierarchy:

❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)

Found in HEAD commit: d5dd0b84d8889d0b48363f057ab4e0aa0a81c8aa

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

Publish Date: 2018-07-13

URL: CVE-2018-14041

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14041

Release Date: 2019-06-12

Fix Resolution: 4.1.2

Dependabot couldn't authenticate with https://artifacts.alfresco.com/nexus/content/groups/internal

Dependabot couldn't authenticate with https://artifacts.alfresco.com/nexus/content/groups/internal.

Dependabot tried to authenticate with the details you previously provided, but authentication failed. If they are no longer valid you will need to provide Dependabot with new credentials.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

make tempfile dir a config parameter

alfresco-transform-core-aio writes temp files to /tmp

The directory to write to should be configurable

CVE-2018-14721 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-14721 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11771 (Medium) detected in commons-compress-1.14.jar

CVE-2018-11771 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.14.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, LZ4, Brotli and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: http://commons.apache.org/proper/commons-compress/

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/commons/commons-compress/1.14/commons-compress-1.14.jar

Dependency Hierarchy:

tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
- ❌ commons-compress-1.14.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-08-16

URL: CVE-2018-11771

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11771

Release Date: 2019-04-08

Fix Resolution: 1.18

Step up your Open Source Security Game with WhiteSource here

Can transformation target size be limited

This is not a bug but a feature request/suggestion.

I have observed that in an installation for Alfresco 7.1 with the "aio" transformer the transformation to text of one PDF file created a 53G text file. I think the source PDF is merely around 20MB but to be honest is a running production server and couldn't identify the source file 100% sure.

Due to that i've seen "no space left on device" exceptions in the transformers log. Analyzing the exception stack it seems quite obvious that in this case it was the Tika transformer.

I know that the max source file bytes can be set in transformation configuration, so more or less I can control how much space the source of a transformation can take. But what about the target ?

AFAIK SOLR is limited to only index the first X words of any sent text document so if our use case for the text transformation is just indexation it would be great if the transformers could somehow be limited to a maximum file size.

Does it make any sense ? Is it already possible in some way ?

CVE-2018-19362 (High) detected in jackson-databind-2.8.11.2.jar

CVE-2018-19362 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.11.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-transform-core/alfresco-docker-imagemagick/pom.xml

Dependency Hierarchy:

spring-boot-starter-thymeleaf-1.5.15.RELEASE.jar (Root Library)
- spring-boot-starter-web-1.5.15.RELEASE.jar
  - ❌ jackson-databind-2.8.11.2.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-10237 (Medium) detected in guava-17.0.jar

CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-17.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: http://code.google.com/p/guava-libraries/guava

Path to dependency file: /alfresco-transform-core/alfresco-docker-tika/pom.xml

Path to vulnerable library: /root/.m2/repository/com/google/guava/guava/17.0/guava-17.0.jar

Dependency Hierarchy:

tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
- cdm-4.5.5.jar
  - ❌ guava-17.0.jar (Vulnerable Library)

Found in HEAD commit: 49addd2455c2f80273297ec107a38651d75e0405

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1

Step up your Open Source Security Game with WhiteSource here

ImageMagick maintainAspectRatio is inverted

Doclib and imgpreview thumbnail in share are squares because the maintainAspectRatio has no effect anymore respectively is inverted.

In the OptionsBuilder the following if statement is wrong:

alfresco-transform-core/alfresco-docker-imagemagick/src/main/java/org/alfresco/transformer/OptionsBuilder.java

Line 342 in 46b2e6d

if (maintainAspectRatio != null && maintainAspectRatio)

It should be: if (maintainAspectRatio == null || !maintainAspectRatio)

Because the ! means for imagemagick to force width and height.

CVE-2018-14040 (Medium) detected in bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

CVE-2018-14040 - Medium Severity Vulnerability

Vulnerable Libraries - bootstrap-3.2.0-3.3.0.min.js, bootstrap-3.3.7-3.3.13.min.js

bootstrap-3.2.0-3.3.0.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.2.0-3.3.0/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-alfresco-pdf-renderer/target/generated-resources/licenses/the mit license - mit.html

Dependency Hierarchy:

❌ bootstrap-3.2.0-3.3.0.min.js (Vulnerable Library)

bootstrap-3.3.7-3.3.13.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.min.js

Path to dependency file: /tmp/ws-scm/alfresco-transform-core/alfresco-docker-libreoffice/target/generated-resources/licenses/public domain, per creative commons cc0 - 1.0.html

Dependency Hierarchy:

❌ bootstrap-3.3.7-3.3.13.min.js (Vulnerable Library)

Found in HEAD commit: d5dd0b84d8889d0b48363f057ab4e0aa0a81c8aa

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040

Release Date: 2018-07-13

Fix Resolution: 4.1.2

Can't build in Ubuntu 20.04

I'm trying to build on my Ubuntu 20.04 but always get an error, no matter what I do

[WARNING] There were 0 download errors - check the warnings above [INFO] [INFO] --- maven-jar-plugin:3.2.0:test-jar (default) @ alfresco-transform-imagemagick-boot --- [INFO] Building jar: /home/ubuntu/alfresco-transform-core-2.5.3/alfresco-transform-imagemagick/alfresco-transform-imagemagick-boot/target/alfresco-transform-imagemagick-boot-2.5.3-tests.jar [INFO] [INFO] --- fabric8-maven-plugin:4.4.0:build (build-image) @ alfresco-transform-imagemagick-boot --- [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. [WARNING] F8: Cannot access cluster for detecting mode: Unknown host kubernetes.default.svc: Name or service not known [INFO] F8: Running in Kubernetes mode [INFO] F8: Building Container image with Docker in Kubernetes mode [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. [WARNING] F8: Cannot access cluster for detecting mode: Unknown host kubernetes.default.svc [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. [WARNING] F8: Cannot access cluster for detecting mode: Unknown host kubernetes.default.svc [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. [WARNING] F8: Cannot access cluster for detecting mode: Unknown host kubernetes.default.svc [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. [WARNING] F8: Cannot access cluster for detecting mode: Unknown host kubernetes.default.svc [WARNING] Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.

Failed to execute the build: io.fabric8.maven.docker.access.DockerAccessException: Unable to build image [alfresco/alfresco-imagemagick:latest] : Connection reset by peer

Thanks!

alfresco / alfresco-transform-core Goto Github PK

alfresco-transform-core's Introduction

Alfresco Transform Core

Sub-projects

Documentation

Building and testing

Run in Docker

Run the Spring Boot Application

Test page

Artifacts

Maven

Docker

Release Process

Contributing guide

alfresco-transform-core's People

Contributors

Stargazers

Watchers

Forkers

alfresco-transform-core's Issues

CVE-2018-14042 - Medium Severity Vulnerability

CVE-2016-6812 - Medium Severity Vulnerability

CVE-2018-12418 - Medium Severity Vulnerability

CVE-2018-14719 - High Severity Vulnerability

WS-2009-0001 - Low Severity Vulnerability

CVE-2018-15756 - High Severity Vulnerability

CVE-2018-8039 - High Severity Vulnerability

CVE-2017-12624 - Medium Severity Vulnerability

CVE-2015-6748 - Medium Severity Vulnerability

CVE-2018-11797 - Medium Severity Vulnerability

WS-2016-0090 - Medium Severity Vulnerability

CVE-2018-5968 - High Severity Vulnerability

WS-2018-0601 - Medium Severity Vulnerability

CVE-2019-12402 - Medium Severity Vulnerability

CVE-2019-0199 - High Severity Vulnerability

CVE-2015-9251 - Medium Severity Vulnerability

CVE-2018-14718 - High Severity Vulnerability

CVE-2018-19360 - High Severity Vulnerability

CVE-2015-6644 - Low Severity Vulnerability

CVE-2018-20677 - Medium Severity Vulnerability

CVE-2019-14262 - High Severity Vulnerability

CVE-2019-11358 - Medium Severity Vulnerability

CVE-2018-1324 - Medium Severity Vulnerability

CVE-2018-14720 - High Severity Vulnerability

CVE-2018-19361 - High Severity Vulnerability

CVE-2018-14041 - Medium Severity Vulnerability

CVE-2018-14721 - High Severity Vulnerability

CVE-2018-11771 - Medium Severity Vulnerability

CVE-2018-19362 - High Severity Vulnerability

CVE-2018-10237 - Medium Severity Vulnerability

CVE-2018-14040 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org