Bug 1203762 (CVE-2015-0250)

Summary: CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, aileenc, alazarot, atangrin, bleanhar, bmcclain, brms-jira, ccoleman, c.david86, dblechte, dmcphers, etirelli, gvarsami, idith, java-maint, java-sig-commits, jbpapp-maint, jcoleman, jialiu, jkeck, jokerman, jorton, jshepherd, jvanek, kanderso, kconner, ldimaggi, lmeyer, lpetrovi, lsurette, mbaluch, michal.skrivanek, mizdebsk, mmaslano, mmccomas, msrb, mwinkler, nobody+bgollahe, nwallace, ohudlick, Rhev-m-bugs, rrajasek, rwagner, rzhang, soa-p-jira, srevivo, tcunning, tkirby, tmlcoch, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Batik 1.8, Batik 1.7.1, Batik 1.6.1 Doc Type: Bug Fix
Doc Text:
It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:40:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1255833, 1255834, 1255835, 1255836, 1255837, 1255838, 1255839, 1255840, 1255841    
Bug Blocks: 1203763, 1278997, 1385169    

Description Martin Prpič 2015-03-19 15:52:24 UTC 
The following flaw was found in Apache Batik:

Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server--including confidential or sensitive files--would be possible.

XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

Additional information:

http://seclists.org/oss-sec/2015/q1/864

External References:

http://xmlgraphics.apache.org/security.html
Comment 1 Tomas Hoger 2015-08-18 08:38:47 UTC 
This issue was also fixed in upstream versions 1.7.1 and 1.6.1.

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1664335

Further details from one of the reporters acknowledged in the upstream advisory:

https://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/
https://www.ernw.de/download/apache_batik_xxe_advisory.txt
Comment 2 Tomas Hoger 2015-08-18 10:46:34 UTC 
Upstream bug report from 2012 from the other reporter acknowledged in the upstream advisory:

https://bz.apache.org/bugzilla/show_bug.cgi?id=53603
https://issues.apache.org/jira/browse/BATIK-1018
https://twitter.com/agarri_fr/status/578132631180673024

https://issues.apache.org/jira/browse/BATIK-1113
Comment 5 Jason Shepherd 2015-09-01 03:24:10 UTC 
For JBoss Fuse, Apache Batik is used by the camel-fop component to render messages into SVG Image+XML. See:

   https://git-wip-us.apache.org/repos/asf?p=camel.git;a=blob;f=components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java;h=d41b6d187cb7b5faf48fa3244c0b7d77ed204779;hb=e18459e53cf77514bb0fdfeceb423c456bbc4d9d

The vulnerability fixed an issue with the way SVG parses XML, not with the way it produces it. Therefore the issue doesn't effect JBoss Fuse 6.2.0. Add jboss/fuse=notaffected
Comment 6 Jason Shepherd 2015-09-01 04:02:05 UTC 
For JBoss FSW, Apache Batik is used by BPEL Console, see:

   system/layers/soa/org/switchyard/component/bpel/main/module.xml

        <!-- Required by bpel2svg module -->
        <module name="org.apache.xmlgraphics" />

If we check the source code for BPEL (downstream Riftsaw) we see it doesn't use the patched SAXDocumentFactory, it used DOMUtils to write an XML Document:

   https://github.com/riftsaw/riftsaw/blob/master/console/bpel2svg/src/main/java/org/wso2/carbon/bpel/ui/bpel2svg/impl/SVGImpl.java

Similar to JBoss Fuse, the SVG functionality is there for rendering XML, not for parsing it. Updating fsw-6/batik to notaffected.
Comment 9 errata-xmlrpc 2015-12-07 20:47:06 UTC 
This issue has been addressed in the following products:

Red Hat JBoss BPM Suite 6.2.0

Via RHSA-2015:2560 https://rhn.redhat.com/errata/RHSA-2015-2560.html
Comment 10 errata-xmlrpc 2015-12-07 20:49:07 UTC 
This issue has been addressed in the following products:

Red Hat JBoss BRMS 6.2.0

Via RHSA-2015:2559 https://rhn.redhat.com/errata/RHSA-2015-2559.html
Comment 11 errata-xmlrpc 2016-01-14 18:35:03 UTC 
This issue has been addressed in the following products:

Red Hat JBoss BPM Suite 6.1.5

Via RHSA-2016:0042 https://rhn.redhat.com/errata/RHSA-2016-0042.html
Comment 12 errata-xmlrpc 2016-01-14 18:36:15 UTC 
This issue has been addressed in the following products:

Red Hat JBoss BRMS 6.1.5

Via RHSA-2016:0041 https://rhn.redhat.com/errata/RHSA-2016-0041.html