Bug 1443592 (CVE-2017-5662) - CVE-2017-5662 batik: XML external entity processing vulnerability
Summary: CVE-2017-5662 batik: XML external entity processing vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-5662
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1443593 1472047
Blocks: 1443595 1477305
TreeView+ depends on / blocked
 
Reported: 2017-04-19 14:13 UTC by Andrej Nemec
Modified: 2021-02-17 02:15 UTC (History)
33 users (show)

Fixed In Version: batik 1.9
Doc Type: Bug Fix
Doc Text:
An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:10:44 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2546 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.4.5 security update 2017-08-29 23:40:38 UTC
Red Hat Product Errata RHSA-2017:2547 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.4.5 security update 2017-08-29 23:40:27 UTC
Red Hat Product Errata RHSA-2018:0319 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update 2018-02-15 00:29:46 UTC

Description Andrej Nemec 2017-04-19 14:13:57 UTC 
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

References:

https://xmlgraphics.apache.org/security.html
http://seclists.org/oss-sec/2017/q2/85
Comment 1 Andrej Nemec 2017-04-19 14:14:49 UTC 
Created batik tracking bugs for this issue:

Affects: fedora-all [bug 1443593]
Comment 2 Stefan Cornelius 2017-07-05 11:38:53 UTC 
Upstream bug:
https://issues.apache.org/jira/browse/BATIK-1139

Patches:
http://svn.apache.org/viewvc?view=revision&revision=1742892
http://svn.apache.org/viewvc?view=revision&revision=1743326
Comment 7 errata-xmlrpc 2017-08-29 19:40:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:2547 https://access.redhat.com/errata/RHSA-2017:2547
Comment 8 errata-xmlrpc 2017-08-29 19:42:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:2546 https://access.redhat.com/errata/RHSA-2017:2546
Comment 9 errata-xmlrpc 2018-02-14 19:30:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319
Comment 10 Doran Moppert 2018-04-26 07:38:17 UTC 
Statement:

The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.
Note You need to log in before you can comment on or make changes to this bug.