Bug 1937440 (CVE-2020-13936)
| Summary: | CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, andjrobins, anstephe, aos-bugs, asoldano, atangrin, ataylor, bbaranow, bibryam, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dbhole, devrim, dkreling, dosoudil, drieden, ebaron, eclipse-sig, eleandro, eparis, etirelli, fjuma, ganandan, ggaughan, gmalinko, gvarsami, hbraun, ibek, iweiss, janstey, java-maint, java-maint-sig, java-sig-commits, jburrell, jcantril, jcoleman, jerboaa, jjohnstn, jnethert, jochrist, jokerman, jolee, jperkins, jross, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, loleary, mizdebsk, mnovotny, msochure, msvehla, nstielau, nwallace, pantinor, pjindal, pmackay, rgrunber, rguimara, rhcs-maint, rrajasek, rstancel, rsvoboda, rsynek, rwagner, sdaley, sd-operator-metering, smaestri, sochotni, spinder, sponnaga, tcunning, tflannag, theute, tkirby, tom.jenkinson, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | velocity 2.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-19 20:57:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1937743, 1937441, 1937442, 1937591, 1937999, 1938000, 1938001, 1938002 | ||
| Bug Blocks: | 1937449 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-03-10 16:38:50 UTC
Created eclipse tracking bugs for this issue: Affects: fedora-all [bug 1937442] Created velocity tracking bugs for this issue: Affects: fedora-all [bug 1937441] Thanks to @jpadman for helping, looks like there's a range of commits from July/August which we believe to be the fixes: - https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485 - https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d706d3075876dde4 - https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35dcef7de3aae3e Statement: OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact. * Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code. * Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason. * Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason. Marking Red Hat JBoss A-MQ 6 as having a low impact, although the vulnerable artifact(s) are distributed with the product they are not used This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Marking Red Hat JBoss Fuse 6 and Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact, this is because components using the affected versions of velocity, namely camel-velocity does not allow, by default, use of templates derived from unprivileged mutable/dynamic sources ie. It does not allow generation or modification of templates from a source an attacker may control perquisite of this attack. Customers using camel velocity with `allowTemplateFromHeader` or `allowContextMapAll` set to true are strongly advised to either disable the dynamic template functionality or ensure the templates are from a source that is not derived from unprivileged user input. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:2051 https://access.redhat.com/errata/RHSA-2021:2051 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:2047 https://access.redhat.com/errata/RHSA-2021:2047 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:2046 https://access.redhat.com/errata/RHSA-2021:2046 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:2048 https://access.redhat.com/errata/RHSA-2021:2048 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13936 This issue has been addressed in the following products: Red Hat EAP-XP via EAP 7.3.x base Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210 This issue has been addressed in the following products: Red Hat EAP-XP 2.0.0 via EAP 7.3.x base Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755 This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658 This issue has been addressed in the following products: EAP 7.4.1 release Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918 |