CVE-2023-39913

Name of the Vulnerable Software and Affected Versions Apache UIMA Java SDK versions prior to 3.5.0

Description The issue is related to the deserialization of untrusted data and improper input validation in the Apache UIMA Java SDK. This affects several locations in the code, including the deserialization of Java-serialized CAS, CAS Editor Eclipse plugin, Vinci Analysis Engine service, CasAnnotationViewerApplet, CasTreeViewerApplet, and the checkpointing feature of the CPE module. The unrestricted deserialization of Java-serialized CAS files may allow arbitrary remote code execution. Users or developers who use the CasIOUtils in their own applications and services to parse serialized CAS data are affected unless they ensure that the data passed to CasIOUtils is not a serialized Java object.

Recommendations To resolve the issue, upgrade to Apache UIMA Java SDK version 3.5.0, which fixes the issue. For users running on Java 9+ platforms, configure a filter pattern through the "jdk.serialFilter" system property to allow deserializing specific classes, and use "!*" as the final component to disallow deserialization of any classes not listed in the pattern. For Java 1.8, upgrade to a recent Java version to secure the affected UIMA version, as Java 1.8 does not support the ObjectInputFilter.