In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2017/q2/85
Created batik tracking bugs for this issue: Affects: fedora-all [bug 1443593]
Upstream bug: https://issues.apache.org/jira/browse/BATIK-1139 Patches: http://svn.apache.org/viewvc?view=revision&revision=1742892 http://svn.apache.org/viewvc?view=revision&revision=1743326
This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:2547 https://access.redhat.com/errata/RHSA-2017:2547
This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:2546 https://access.redhat.com/errata/RHSA-2017:2546
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319
Statement: The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.