ID

VAR-201805-1054

CVE

CVE-2018-8013

TITLE

Apache Batik Vulnerable to unreliable data deserialization

DESCRIPTION

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization. Apache Batik Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache Batik is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Apache Batik 1.9.1 and prior versions are vulnerable. Mitigation: Users should upgrade to Batik 1.10+ Credit: This issue was independently reported by Man Yue Mo. References: http://xmlgraphics.apache.org/security.html The Apache XML Graphics team. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4215-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 02, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : batik CVE ID : CVE-2017-5662 CVE-2018-8013 Debian Bug : 860566 899374 Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a toolkit for processing SVG images, did not properly validate its input. This would allow an attacker to cause a denial-of-service, mount cross-site scripting attacks, or access restricted files on the server. For the oldstable distribution (jessie), these problems have been fixed in version 1.7+dfsg-5+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1.8-4+deb9u1. We recommend that you upgrade your batik packages. For the detailed security status of batik please refer to its security tracker page at: https://security-tracker.debian.org/tracker/batik Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlsSUFsACgkQEL6Jg/PV nWQKAQgAtoVouiI8CAu0mMH4CxzV9Gn+PheDY9BIdjfARj60IPGFt1JgwJGwdhuS ANRAYaYhwEl+ZJSi5QUunT+tmwjINkWVQ1OoQIULR+/51bbkPQsND8nj2rVsO8z4 BQFJqUVdpbF04nDAP2lxyLMevrS5v9bQTXZfchIQOYhu08+L4HHilnMzRKpeaFNo jHBfpOhT4puftGQDtPW3+Czrree7yjkyElryVXiaNupH1PYuBs7GH3cGIct4NNv/ 7cykB7tf0j7cL+82YOCe5PhWQJfF52uj4Uck92v+muV6G6H7/vNj8irfC+iW7sP1 s58xKHi+VG3tU66xb44dK4MteCk9SA== =n3ZC -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-3661-1 May 29, 2018 batik vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Batik could be made to expose sensitive information if it received a specially crafted XML. Software Description: - batik: SVG Library Details: It was discovered that Batik incorrectly handled certain XML. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libbatik-java 1.7.ubuntu-8ubuntu2.14.04.3 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3661-1 CVE-2018-8013 Package Information: https://launchpad.net/ubuntu/+source/batik/1.7.ubuntu-8ubuntu2.14.04.3 . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202401-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache Batik: Multiple Vulnerabilities Date: January 07, 2024 Bugs: #724534, #872689, #918088 ID: 202401-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Apache Batik, the worst of which could result in arbitrary code execution. Background ========== Apache Batik is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-java/batik < 1.17 >= 1.17 Description =========== Multiple vulnerabilities have been discovered in Apache Batik. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache Batik users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/batik-1.17" References ========== [ 1 ] CVE-2018-8013 https://nvd.nist.gov/vuln/detail/CVE-2018-8013 [ 2 ] CVE-2019-17566 https://nvd.nist.gov/vuln/detail/CVE-2019-17566 [ 3 ] CVE-2020-11987 https://nvd.nist.gov/vuln/detail/CVE-2020-11987 [ 4 ] CVE-2022-38398 https://nvd.nist.gov/vuln/detail/CVE-2022-38398 [ 5 ] CVE-2022-38648 https://nvd.nist.gov/vuln/detail/CVE-2022-38648 [ 6 ] CVE-2022-40146 https://nvd.nist.gov/vuln/detail/CVE-2022-40146 [ 7 ] CVE-2022-41704 https://nvd.nist.gov/vuln/detail/CVE-2022-41704 [ 8 ] CVE-2022-42890 https://nvd.nist.gov/vuln/detail/CVE-2022-42890 [ 9 ] CVE-2022-44729 https://nvd.nist.gov/vuln/detail/CVE-2022-44729 [ 10 ] CVE-2022-44730 https://nvd.nist.gov/vuln/detail/CVE-2022-44730 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202401-11 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code problem

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Man Yue Mo

SOURCES

LAST UPDATE DATE

2024-08-14T13:00:19.121000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE