Bug 1443592 (CVE-2017-5662)

Summary: CVE-2017-5662 batik: XML external entity processing vulnerability
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, bmcclain, c.david86, chazlett, dblechte, eedri, etirelli, gvarsami, hhorak, java-maint, java-sig-commits, jcoleman, jorton, jvanek, kconner, kverlaen, ldimaggi, lpetrovi, mbaluch, mgoldboi, michal.skrivanek, mizdebsk, mwinkler, nwallace, rrajasek, rwagner, rzhang, sbonazzo, sherold, tcunning, tkirby, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: batik 1.9 Doc Type: Bug Fix
Doc Text:
An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:10:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1443593, 1472047    
Bug Blocks: 1443595, 1477305    

Description Andrej Nemec 2017-04-19 14:13:57 UTC 
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

References:

https://xmlgraphics.apache.org/security.html
http://seclists.org/oss-sec/2017/q2/85
Comment 1 Andrej Nemec 2017-04-19 14:14:49 UTC 
Created batik tracking bugs for this issue:

Affects: fedora-all [bug 1443593]
Comment 2 Stefan Cornelius 2017-07-05 11:38:53 UTC 
Upstream bug:
https://issues.apache.org/jira/browse/BATIK-1139

Patches:
http://svn.apache.org/viewvc?view=revision&revision=1742892
http://svn.apache.org/viewvc?view=revision&revision=1743326
Comment 7 errata-xmlrpc 2017-08-29 19:40:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:2547 https://access.redhat.com/errata/RHSA-2017:2547
Comment 8 errata-xmlrpc 2017-08-29 19:42:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:2546 https://access.redhat.com/errata/RHSA-2017:2546
Comment 9 errata-xmlrpc 2018-02-14 19:30:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319
Comment 10 Doran Moppert 2018-04-26 07:38:17 UTC 
Statement:

The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.