[Bug 1937440] New: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Bug ID: 1937440 Summary: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, akurtako@redhat.com, alazarot@redhat.com, almorale@redhat.com, andjrobins@gmail.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, bbaranow@redhat.com, bibryam@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, dbhole@redhat.com, decathorpe@gmail.com, devrim@gunduz.org, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, ebaron@redhat.com, eclipse-sig@lists.fedoraproject.org, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, fjuma@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, hbraun@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-maint-sig@lists.fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jcantril@redhat.com, jcoleman@redhat.com, jerboaa@gmail.com, jjohnstn@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jperkins@redhat.com, jross@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, lgao@redhat.com, loleary@redhat.com, mat.booth@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pantinor@redhat.com, pjindal@redhat.com, pmackay@redhat.com, rgrunber@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, sd-operator-metering@redhat.com, smaestri@redhat.com, sochotni@redhat.com, spinder@redhat.com, sponnaga@redhat.com, tcunning@redhat.com, tflannag@redhat.com, theute@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, yborgess@redhat.com Target Milestone: --- Classification: Other
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
References: https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a6... http://www.openwall.com/lists/oss-security/2021/03/10/1
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1937441, 1937442
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1937441 [Bug 1937441] CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1937442 [Bug 1937442] CVE-2020-13936 eclipse: velocity: arbitrary code execution when attacker is able to modify templates [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created eclipse tracking bugs for this issue:
Affects: fedora-all [bug 1937442]
Created velocity tracking bugs for this issue:
Affects: fedora-all [bug 1937441]
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1937449
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #6 from Mark Cooper mcooper@redhat.com --- Thanks to @jpadman for helping, looks like there's a range of commits from July/August which we believe to be the fixes: - https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6be... - https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d70... - https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35...
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |velocity 2.3
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1937591
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #8 from Mark Cooper mcooper@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity, however the references to the library only occur in the x-pack component which is an enterprise only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #9 from Mark Cooper mcooper@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity, however the references to the library only occur in the x-pack component which is an enterprise only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive-container only references velocity in the testutils of the code but the code still exists in the container, hence it has been given a Moderate impact.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Florencio Cano fcanogab@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1937743
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #15 from Todd Cullum tcullum@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity, however the references to the library only occur in the x-pack component which is an enterprise only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive-container only references velocity in the testutils of the code but the code still exists in the container, hence it has been given a Moderate impact.
velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1938000, 1938001, 1938002, | |1937999
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #17 from Todd Cullum tcullum@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity, however the references to the library only occur in the x-pack component which is an enterprise only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive-container only references velocity in the testutils of the code but the code still exists in the container, hence it has been given a Moderate impact.
velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code. Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #22 from Mark Cooper mcooper@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity, however the references to the library only occur in the x-pack component which is an enterprise only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive-container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.
velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code. Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #23 from Eric Christensen sparks@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.
Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.
Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #24 from Todd Cullum tcullum@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.
* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.
* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.
* Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #25 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat JBoss A-MQ 6 as having a low impact, although the vulnerable artifact(s) are distributed with the product they are not used
This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #27 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat JBoss Fuse 6 and Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact, this is because components using the affected versions of velocity, namely camel-velocity does not allow, by default, use of templates derived from unprivileged mutable/dynamic sources ie. It does not allow generation or modification of templates from a source an attacker may control perquisite of this attack.
Customers using camel velocity with `allowTemplateFromHeader` or `allowContextMapAll` set to true are strongly advised to either disable the dynamic template functionality or ensure the templates are from a source that is not derived from unprivileged user input.
https://bugzilla.redhat.com/show_bug.cgi?id=1937440 Bug 1937440 depends on bug 1937442, which changed state.
Bug 1937442 Summary: CVE-2020-13936 eclipse: velocity: arbitrary code execution when attacker is able to modify templates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1937442
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #30 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2021:2051 https://access.redhat.com/errata/RHSA-2021:2051
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
Via RHSA-2021:2047 https://access.redhat.com/errata/RHSA-2021:2047
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #32 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
Via RHSA-2021:2046 https://access.redhat.com/errata/RHSA-2021:2046
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
Via RHSA-2021:2048 https://access.redhat.com/errata/RHSA-2021:2048
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-05-19 20:57:10
--- Comment #34 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-13936
https://bugzilla.redhat.com/show_bug.cgi?id=1937440 Bug 1937440 depends on bug 1937441, which changed state.
Bug 1937441 Summary: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1937441
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #35 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat EAP-XP via EAP 7.3.x base
Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #37 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base
Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2755
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #38 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #39 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3656
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #40 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3658
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #41 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP 7.4.1 release
Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3660
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #42 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #43 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:4918
eclipse-sig@lists.stg.fedoraproject.org
-
bugzilla@redhat.com