Red Hat Bugzilla – Bug 1203762
CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing
Last modified: 2018-08-18 07:26:56 EDT
The following flaw was found in Apache Batik: Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server--including confidential or sensitive files--would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. Additional information: http://seclists.org/oss-sec/2015/q1/864 External References: http://xmlgraphics.apache.org/security.html
This issue was also fixed in upstream versions 1.7.1 and 1.6.1. Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1664335 Further details from one of the reporters acknowledged in the upstream advisory: https://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/ https://www.ernw.de/download/apache_batik_xxe_advisory.txt
Upstream bug report from 2012 from the other reporter acknowledged in the upstream advisory: https://bz.apache.org/bugzilla/show_bug.cgi?id=53603 https://issues.apache.org/jira/browse/BATIK-1018 https://twitter.com/agarri_fr/status/578132631180673024 https://issues.apache.org/jira/browse/BATIK-1113
For JBoss Fuse, Apache Batik is used by the camel-fop component to render messages into SVG Image+XML. See: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=blob;f=components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java;h=d41b6d187cb7b5faf48fa3244c0b7d77ed204779;hb=e18459e53cf77514bb0fdfeceb423c456bbc4d9d The vulnerability fixed an issue with the way SVG parses XML, not with the way it produces it. Therefore the issue doesn't effect JBoss Fuse 6.2.0. Add jboss/fuse=notaffected
For JBoss FSW, Apache Batik is used by BPEL Console, see: system/layers/soa/org/switchyard/component/bpel/main/module.xml <!-- Required by bpel2svg module --> <module name="org.apache.xmlgraphics" /> If we check the source code for BPEL (downstream Riftsaw) we see it doesn't use the patched SAXDocumentFactory, it used DOMUtils to write an XML Document: https://github.com/riftsaw/riftsaw/blob/master/console/bpel2svg/src/main/java/org/wso2/carbon/bpel/ui/bpel2svg/impl/SVGImpl.java Similar to JBoss Fuse, the SVG functionality is there for rendering XML, not for parsing it. Updating fsw-6/batik to notaffected.
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.2.0 Via RHSA-2015:2560 https://rhn.redhat.com/errata/RHSA-2015-2560.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.2.0 Via RHSA-2015:2559 https://rhn.redhat.com/errata/RHSA-2015-2559.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.1.5 Via RHSA-2016:0042 https://rhn.redhat.com/errata/RHSA-2016-0042.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.1.5 Via RHSA-2016:0041 https://rhn.redhat.com/errata/RHSA-2016-0041.html