Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1443592 - (CVE-2017-5662) CVE-2017-5662 batik: XML external entity processing vulnerability
CVE-2017-5662 batik: XML external entity processing vulnerability
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170410,repor...
: Security
Depends On: 1443593 1472047
Blocks: 1443595 1477305
  Show dependency treegraph
 
Reported: 2017-04-19 10:13 EDT by Andrej Nemec
Modified: 2018-08-18 07:27 EDT (History)
34 users (show)

See Also:
Fixed In Version: batik 1.9
Doc Type: Bug Fix
Doc Text:
An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2546 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.4.5 security update 2017-08-29 19:40:38 EDT
Red Hat Product Errata RHSA-2017:2547 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.4.5 security update 2017-08-29 19:40:27 EDT
Red Hat Product Errata RHSA-2018:0319 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update 2018-02-14 19:29:46 EST

  None (edit)
Description Andrej Nemec 2017-04-19 10:13:57 EDT 
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

References:

https://xmlgraphics.apache.org/security.html
http://seclists.org/oss-sec/2017/q2/85
Comment 1 Andrej Nemec 2017-04-19 10:14:49 EDT 
Created batik tracking bugs for this issue:

Affects: fedora-all [bug 1443593]
Comment 7 errata-xmlrpc 2017-08-29 15:40:57 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:2547 https://access.redhat.com/errata/RHSA-2017:2547
Comment 8 errata-xmlrpc 2017-08-29 15:42:13 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:2546 https://access.redhat.com/errata/RHSA-2017:2546
Comment 9 errata-xmlrpc 2018-02-14 14:30:03 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319
Comment 10 Doran Moppert 2018-04-26 03:38:17 EDT 
Statement:

The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.