CVE-2023-39913 – This vulnerability in Apache UIMA Java SDK allo... (How to Fix)

Q: What is the severity of CVE-2023-39913?

CVE-2023-39913 has a CVSS score of 8.8 (HIGH). This vulnerability in Apache UIMA Java SDK allows arbitrary code execution through deserialization of untrusted data. Attackers can exploit it by sending malicious serialized objects to vulnerable components, potentially gaining full control of affected systems. Users running UIMA versions before 3.5.0 who use CasIOUtils, Vinci services, or specific applets are affected.

📋 TL;DR

This vulnerability in Apache UIMA Java SDK allows arbitrary code execution through deserialization of untrusted data. Attackers can exploit it by sending malicious serialized objects to vulnerable components, potentially gaining full control of affected systems. Users running UIMA versions before 3.5.0 who use CasIOUtils, Vinci services, or specific applets are affected.

💻 Affected Systems

Products:

Apache UIMA Java SDK

Versions: All versions before 3.5.0

Operating Systems: All platforms running Java

Default Config Vulnerable: ✅ No

Notes: Vulnerability requires specific vulnerable components to be used: CasIOUtils, Vinci services, CAS Editor Eclipse plugin, CasAnnotationViewerApplet, CasTreeViewerApplet, or CPE checkpointing. Default UIMA installation does not start vulnerable services.

📦 What is this software?

Uimaj by Apache

View all CVEs affecting Uimaj →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution on systems running vulnerable UIMA components with network exposure or processing untrusted serialized data.

🟢

If Mitigated

Limited impact with proper input validation, Java serialization filters, or network segmentation preventing access to vulnerable services.

🌐 Internet-Facing: MEDIUM - Vinci services are not enabled by default, but if explicitly configured and exposed, they become high-risk targets.

🏢 Internal Only: MEDIUM - Internal applications using CasIOUtils with untrusted data sources remain vulnerable to exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of vulnerable endpoints and ability to craft malicious serialized objects. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.0

Vendor Advisory: https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4

Restart Required: Yes

Instructions:

1. Download Apache UIMA Java SDK version 3.5.0 or later. 2. Replace existing UIMA installation with new version. 3. Restart all applications and services using UIMA. 4. Verify version upgrade completed successfully.

🔧 Temporary Workarounds

Java Serialization Filter (Java 9+)

all

Configure ObjectInputFilter to restrict deserialization to only allowed UIMA classes

java -Djdk.serialFilter="org.apache.uima.cas.impl.CASCompleteSerializer;org.apache.uima.cas.impl.CASMgrSerializer;org.apache.uima.cas.impl.CASSerializer;java.lang.String;org.apache.uima.collection.impl.cpm.CheckpointData;org.apache.uima.util.ProcessTrace;org.apache.uima.util.impl.ProcessTrace_impl;org.apache.uima.collection.base_cpm.SynchPoint;!*" -jar yourapp.jar

🧯 If You Can't Patch

Upgrade Java runtime to version 9+ and implement serialization filters as described in workarounds
Disable or restrict network access to Vinci services and avoid using CasIOUtils with untrusted data sources

🔍 How to Verify

Check if Vulnerable:

Check UIMA version in pom.xml, build.gradle, or manifest files. Verify if vulnerable components (CasIOUtils, Vinci, specific applets) are used in your codebase.

Check Version:

java -cp "uima-core.jar" org.apache.uima.util.UIMAFramework --version

Verify Fix Applied:

Confirm UIMA version is 3.5.0 or higher. Verify serialization filters are properly configured if using Java 9+ with older UIMA versions.

📡 Detection & Monitoring

Log Indicators:

Java deserialization errors, unexpected ClassNotFoundException or InvalidClassException in UIMA logs
Unusual network connections to Vinci service ports (default 9000)

Network Indicators:

Inbound connections to Vinci service ports with serialized data payloads
Unusual outbound connections from UIMA processes

SIEM Query:

source="uima.log" AND ("deserialization" OR "ClassNotFoundException" OR "InvalidClassException")

📊 Metadata

CVE ID: CVE-2023-39913

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: November 8, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/11/08/1 Mailing List
https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4 Mailing List
http://www.openwall.com/lists/oss-security/2023/11/08/1 Mailing List
https://lists.apache.org/thread/lw30f4qlq3mhkhpljj16qw4fot3rg7v4 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39913, you might also want to check these: