Vulnerability CVE-2018-8013


Published: 2018-05-24

Description:
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Type:

CWE-502

(Deserialization of Untrusted Data)

Vendor: Oracle
Product: Jd edwards enterpriseone tools 
Version: 9.2;
Product: Communications diameter signaling router 
Version:
8.2
8.1
6.0
Product: Financial services analytical applications infrastructure 
Version:
8.0.5.0.0
8.0.4.0.0
8.0.3.0.0
8.0.2.0.0
8.0.1.0.0
8.0.0.0.0
Product: Communications metasolv solution 
Version: 6.3.0;
Product: Retail order broker 
Version:
5.2
5.1
16.0
15.0
Product: Instantis enterprisetrack 
Version:
17.3
17.2
17.1
Product: Retail integration bus 
Version: 17.0;
Product: Retail returns management 
Version: 14.1;
Product: Retail back office 
Version:
14.1
14
13.4
13.3
Product: Retail point-of-service 
Version:
14.1
14.0
13.4
Product: Retail central office 
Version: 14.1;
Product: Business intelligence 
Version:
12.2.1.4.0
12.2.1.3.0
11.1.1.9.0
11.1.1.7.0
Product: Data integrator 
Version: 12.2.1.3.0;
Product: Fusion middleware mapviewer 
Version: 12.2.1.3; 12.2.1.2;
Product: Enterprise repository 
Version: 12.1.3.0.0; 11.1.1.7.0;
Product: Insurance calculation engine 
Version: 10.2.1; 10.1.1;
Product: Insurance policy administration j2ee 
Version: 10.2; 10.0;
Vendor: Debian
Product: Debian linux 
Version:
9.0
8.0
7.0
Vendor: Canonical
Product: Ubuntu linux 
Version: 14.04;
Vendor: Apache
Product: Batik 
Version:
1.9.1
1.9
1.8
1.7.1
1.7
1.6.1
1.6
1.5.1
1.5
1.1.1
1.1
1.0

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/104252
http://www.securitytracker.com/id/1040995
https://lists.debian.org/debian-lts-announce/2018/05/msg00016.html
https://mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c000701d3f28f$d01860a0$704921e0$@gmail.com%3e
https://usn.ubuntu.com/3661-1/
https://www.debian.org/security/2018/dsa-4215
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://xmlgraphics.apache.org/security.html

Related CVE
CVE-2018-11768
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
CVE-2019-0231
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2....
CVE-2019-10097
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulner...
CVE-2019-10092
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only ...
CVE-2019-10082
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
CVE-2019-0203
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server.
CVE-2018-11782
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.
CVE-2019-10098
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

Copyright 2019, cxsecurity.com

 

Back to Top