Vulnerabilities > CVE-2015-0250
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
PARTIAL Summary
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
Vulnerable Configurations
Nessus
NASL family Web Servers NASL id WEBSPHERE_8_5_5_6.NASL description The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.6. It is, therefore, potentially affected by multiple vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists in the IBM Global Security Kit (GSKit) due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0138) - An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J. A remote attacker can exploit this, via a crafted message, to determine where an encryption failure to place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226) - An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source. A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250) - A privilege escalation vulnerability exists due to a flaw that occurs in last seen 2020-06-01 modified 2020-06-02 plugin id 84639 published 2015-07-09 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84639 title IBM WebSphere Application Server 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.6 (FP6) Multiple Vulnerabilities (Bar Mitzvah) (FREAK) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84639); script_version("1.11"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id( "CVE-2015-0138", "CVE-2015-0226", "CVE-2015-0250", "CVE-2015-1885", "CVE-2015-1927", "CVE-2015-1932", "CVE-2015-1936", "CVE-2015-1946", "CVE-2015-2808", "CVE-2015-4938" ); script_bugtraq_id( 72553, 73326, 73684, 74219, 75480, 75486, 75496, 76463, 76466 ); script_xref(name:"CERT", value:"243585"); script_name(english:"IBM WebSphere Application Server 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.6 (FP6) Multiple Vulnerabilities (Bar Mitzvah) (FREAK)"); script_summary(english:"Reads the version number from the SOAP port."); script_set_attribute(attribute:"synopsis", value: "The remote application server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.6. It is, therefore, potentially affected by multiple vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists in the IBM Global Security Kit (GSKit) due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0138) - An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J. A remote attacker can exploit this, via a crafted message, to determine where an encryption failure to place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226) - An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source. A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250) - A privilege escalation vulnerability exists due to a flaw that occurs in 'full' profile and 'liberty' profile when using an OAuth grant password. A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1885) - A privilege escalation vulnerability exists due to incorrect settings in the serveServletsbyClassname functionality. A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1927) - An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to identify the proxy server software by reading the HTTP 'Via' header. (CVE-2015-1932) - An unspecified flaw exists in the administrative console that allows a remote attacker, via the 'JSESSIONID' parameter, to hijack a user's session. (CVE-2015-1936) - A privilege escalation vulnerability exists due to an unspecified flaw that occurs when handling user roles. A local attacker can exploit this to gain elevated privileges. (CVE-2015-1946) - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - An unspecified flaw exists that allows an unauthenticated, remote attacker to spoof servlets or disclose sensitive information. (CVE-2015-4938)"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21698613"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21959083"); script_set_attribute(attribute:"see_also", value:"http://www-304.ibm.com/support/docview.wss?uid=swg27004980"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21963275"); # https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf script_set_attribute(attribute:"see_also", value:"https://www.smacktls.com/#freak"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bbf45ac"); script_set_attribute(attribute:"solution", value: "Apply IBM 7.0 Fix Pack 39 (7.0.0.39) / 8.0 Fix Pack 11 (8.0.0.11) / 8.5 Fix Pack 6 (8.5.5.6) or later. Alternatively, apply the Interim Fixes as recommended in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/09"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("websphere_detect.nasl"); script_require_ports("Services/www", 8880, 8881); script_require_keys("www/WebSphere", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:8880, embedded:0); version = get_kb_item_or_exit("www/WebSphere/"+port+"/version"); source = get_kb_item_or_exit("www/WebSphere/"+port+"/source"); app_name = "IBM WebSphere Application Server"; if (version =~ "^[0-9]+(\.[0-9]+)?$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, version); fix = FALSE; # Fixed version for compare min = FALSE; # Min version for branch pck = FALSE; # Fix pack name (tacked onto fix in report) itr = "PI36563, PI36211, PI39768, PI31622, PI37230, and PI35180"; # Required interim fixes if (version =~ "^8\.5\.") { fix = '8.5.5.6'; min = '8.5.0.0'; # CVE-2015-0226 only 8.5.5.2 - 8.5.5.5 # has an additional interim fix. if(version =~ "^8\.5\.5\.[2-5]$") itr = 'PI36866, ' + itr; pck = " (Fix Pack 6)"; } else if (version =~ "^8\.0\.") { fix = '8.0.0.11'; min = '8.0.0.0'; itr = 'PI37396, PI38403, ' + itr; pck = " (Fix Pack 11)"; } else if (version =~ "^7\.0\.") { fix = '7.0.0.39'; min = '7.0.0.0'; itr = 'PI37396, PI38403, ' + itr; pck = " (Fix Pack 39)"; } if (fix && min && ver_compare(ver:version, fix:fix, strict:FALSE) < 0 && ver_compare(ver:version, fix:min, strict:FALSE) >= 0 ) { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : ' + fix + pck + '\n Interim fixes : ' + itr + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);
NASL family Fedora Local Security Checks NASL id FEDORA_2015-8803.NASL description Security fix for CVE-2015-0250 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-05 plugin id 84002 published 2015-06-05 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84002 title Fedora 22 : batik-1.8-0.18.svn1230816.fc22 (2015-8803) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-203.NASL description Updated batik packages fix security vulnerability : Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption (CVE-2015-0250). last seen 2020-06-01 modified 2020-06-02 plugin id 82738 published 2015-04-13 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82738 title Mandriva Linux Security Advisory : batik (MDVSA-2015:203) NASL family Fedora Local Security Checks NASL id FEDORA_2015-8783.NASL description Security fix for CVE-2015-0250 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-05 plugin id 84000 published 2015-06-05 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84000 title Fedora 21 : batik-1.8-0.18.svn1230816.fc21 (2015-8783) NASL family Fedora Local Security Checks NASL id FEDORA_2015-8745.NASL description Security fix for CVE-2015-0250 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-05 plugin id 83997 published 2015-06-05 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83997 title Fedora 20 : batik-1.8-0.12.svn1230816.fc20 (2015-8745) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3205.NASL description Nicolas Gregoire and Kevin Schaller discovered that Batik, a toolkit for processing SVG images, would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption. last seen 2020-03-17 modified 2015-03-30 plugin id 82302 published 2015-03-30 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82302 title Debian DSA-3205-1 : batik - security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2548-1.NASL description Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 82267 published 2015-03-26 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82267 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : batik vulnerability (USN-2548-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-182.NASL description Nicolas Gregoire and Kevin Schaller discovered that Batik, a toolkit for processing SVG images, would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-03-30 plugin id 82299 published 2015-03-30 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82299 title Debian DLA-182-1 : batik security update
Redhat
advisories |
|
References
- http://advisories.mageia.org/MGASA-2015-0138.html
- http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html
- http://rhn.redhat.com/errata/RHSA-2016-0041.html
- http://rhn.redhat.com/errata/RHSA-2016-0042.html
- http://seclists.org/fulldisclosure/2015/Mar/142
- http://www.debian.org/security/2015/dsa-3205
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:203
- http://www.securitytracker.com/id/1032781
- http://www.ubuntu.com/usn/USN-2548-1
- http://www-01.ibm.com/support/docview.wss?uid=swg21963275
- http://xmlgraphics.apache.org/security.html