[Bug 1933808] New: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
Bug ID: 1933808 Summary: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aileenc@redhat.com, akurtako@redhat.com, andjrobins@gmail.com, chazlett@redhat.com, dbhole@redhat.com, drieden@redhat.com, ebaron@redhat.com, eclipse-sig@lists.fedoraproject.org, ggaughan@redhat.com, gmalinko@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jerboaa@gmail.com, jjohnstn@redhat.com, jkang@redhat.com, jochrist@redhat.com, jvanek@redhat.com, jwon@redhat.com, lef@fedoraproject.org, mat.booth@redhat.com, mizdebsk@redhat.com, rgrunber@redhat.com Target Milestone: --- Classification: Other
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
References: https://xmlgraphics.apache.org/security.html https://www.openwall.com/lists/oss-security/2021/02/24/2
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1933811 Depends On| |1933809, 1933810
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1933809 [Bug 1933809] CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933810 [Bug 1933810] CVE-2020-11987 eclipse: batik: SSRF due to improper input validation by the NodePickerPanel [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created batik tracking bugs for this issue:
Affects: fedora-all [bug 1933809]
Created eclipse tracking bugs for this issue:
Affects: fedora-all [bug 1933810]
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |batik-1.14
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
--- Comment #3 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
--- Comment #4 from Todd Cullum tcullum@redhat.com --- Upstream patch commit: https://github.com/apache/xmlgraphics-batik/commit/0ef5b661a1f77772d1110877e... Upstream issue: https://issues.apache.org/jira/browse/BATIK-1284
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1938331, 1938332
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
--- Comment #6 from Todd Cullum tcullum@redhat.com --- Flaw summary:
NodePickerPanel in batik was configured to load XML external Document Type Definitions (DTDs) and XML external entities. This allowed for crafted input to result in server-side request forgery, allowing an attacker to make arbitrary GET requests from the server. The patch disables external-general-entities, external-parameter-entities, and load-external-dtd in NodePickerPanel to prevent this.
https://bugzilla.redhat.com/show_bug.cgi?id=1933808 Bug 1933808 depends on bug 1933809, which changed state.
Bug 1933809 Summary: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933809
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1933808 Bug 1933808 depends on bug 1933810, which changed state.
Bug 1933810 Summary: CVE-2020-11987 eclipse: batik: SSRF due to improper input validation by the NodePickerPanel [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933810
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ERRATA Status|NEW |CLOSED Last Closed| |2021-11-02 23:10:29
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
--- Comment #11 from Jonathan Christison jochrist@redhat.com --- Although Baktik is distributed and used in Red Hat Fuse 7 we believe this vulnerability presents a low impact as the vulnerability occurs in Java Swing UI components of Batik (NodePickerPanel) and there is no use of this functionality.
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.10
Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:5134
eclipse-sig@lists.stg.fedoraproject.org
-
bugzilla@redhat.com