Bug 1937440 (CVE-2020-13936) - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
Summary: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to mo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13936
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1937743 1937441 1937442 1937591 1937999 1938000 1938001 1938002
Blocks: 1937449
TreeView+ depends on / blocked
 
Reported: 2021-03-10 16:38 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:11 UTC (History)
92 users (show)

Fixed In Version: velocity 2.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-05-19 20:57:10 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2755 0 None None None 2021-07-15 15:26:06 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:23:56 UTC
Red Hat Product Errata RHSA-2021:3656 0 None None None 2021-09-23 16:15:28 UTC
Red Hat Product Errata RHSA-2021:3658 0 None None None 2021-09-23 16:23:31 UTC
Red Hat Product Errata RHSA-2021:3660 0 None None None 2021-09-23 16:29:23 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:59 UTC
Red Hat Product Errata RHSA-2021:4918 0 None None None 2021-12-02 16:17:54 UTC

Description Guilherme de Almeida Suckevicz 2021-03-10 16:38:50 UTC
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

References:
https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/03/10/1

Comment 1 Guilherme de Almeida Suckevicz 2021-03-10 16:39:26 UTC
Created eclipse tracking bugs for this issue:

Affects: fedora-all [bug 1937442]


Created velocity tracking bugs for this issue:

Affects: fedora-all [bug 1937441]

Comment 24 Todd Cullum 2021-03-16 22:35:57 UTC
Statement:

OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.

* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.

* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.

* Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.

Comment 25 Jonathan Christison 2021-03-19 18:42:03 UTC
Marking Red Hat JBoss A-MQ 6 as having a low impact, although the vulnerable artifact(s) are distributed with the product they are not used

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 27 Jonathan Christison 2021-03-22 16:10:33 UTC
Marking Red Hat JBoss Fuse 6 and Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact, this is because components using the affected versions of velocity, namely camel-velocity does not allow, by default, use of templates derived from unprivileged mutable/dynamic sources ie. It does not allow generation or modification of templates from a source an attacker may control perquisite of this attack.

Customers using camel velocity with `allowTemplateFromHeader` or `allowContextMapAll` set to true are strongly advised to either disable the dynamic template functionality or ensure the templates are from a source that is not derived from unprivileged user input.

Comment 30 errata-xmlrpc 2021-05-19 15:21:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:2051 https://access.redhat.com/errata/RHSA-2021:2051

Comment 31 errata-xmlrpc 2021-05-19 15:23:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:2047 https://access.redhat.com/errata/RHSA-2021:2047

Comment 32 errata-xmlrpc 2021-05-19 15:27:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:2046 https://access.redhat.com/errata/RHSA-2021:2046

Comment 33 errata-xmlrpc 2021-05-19 15:32:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:2048 https://access.redhat.com/errata/RHSA-2021:2048

Comment 34 Product Security DevOps Team 2021-05-19 20:57:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13936

Comment 35 errata-xmlrpc 2021-06-02 14:23:54 UTC
This issue has been addressed in the following products:

  Red Hat EAP-XP via EAP 7.3.x base

Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210

Comment 37 errata-xmlrpc 2021-07-15 15:26:04 UTC
This issue has been addressed in the following products:

  Red Hat EAP-XP 2.0.0 via EAP 7.3.x base

Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755

Comment 38 errata-xmlrpc 2021-08-11 18:23:50 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 39 errata-xmlrpc 2021-09-23 16:15:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656

Comment 40 errata-xmlrpc 2021-09-23 16:23:26 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658

Comment 41 errata-xmlrpc 2021-09-23 16:29:20 UTC
This issue has been addressed in the following products:

  EAP 7.4.1 release

Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660

Comment 42 errata-xmlrpc 2021-11-23 10:34:54 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767

Comment 43 errata-xmlrpc 2021-12-02 16:17:49 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918


Note You need to log in before you can comment on or make changes to this bug.