An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. References: https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E http://www.openwall.com/lists/oss-security/2021/03/10/1
Created eclipse tracking bugs for this issue: Affects: fedora-all [bug 1937442] Created velocity tracking bugs for this issue: Affects: fedora-all [bug 1937441]
Thanks to @jpadman for helping, looks like there's a range of commits from July/August which we believe to be the fixes: - https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485 - https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d706d3075876dde4 - https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35dcef7de3aae3e
Statement: OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact. * Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code. * Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason. * Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.
Marking Red Hat JBoss A-MQ 6 as having a low impact, although the vulnerable artifact(s) are distributed with the product they are not used This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Marking Red Hat JBoss Fuse 6 and Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact, this is because components using the affected versions of velocity, namely camel-velocity does not allow, by default, use of templates derived from unprivileged mutable/dynamic sources ie. It does not allow generation or modification of templates from a source an attacker may control perquisite of this attack. Customers using camel velocity with `allowTemplateFromHeader` or `allowContextMapAll` set to true are strongly advised to either disable the dynamic template functionality or ensure the templates are from a source that is not derived from unprivileged user input.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:2051 https://access.redhat.com/errata/RHSA-2021:2051
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:2047 https://access.redhat.com/errata/RHSA-2021:2047
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:2046 https://access.redhat.com/errata/RHSA-2021:2046
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:2048 https://access.redhat.com/errata/RHSA-2021:2048
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13936
This issue has been addressed in the following products: Red Hat EAP-XP via EAP 7.3.x base Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210
This issue has been addressed in the following products: Red Hat EAP-XP 2.0.0 via EAP 7.3.x base Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658
This issue has been addressed in the following products: EAP 7.4.1 release Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918