Vulnerabilities > CVE-2018-8013 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
debian
canonical
oracle
CWE-502
critical
nessus

Summary

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Vulnerable Configurations

Part Description Count
Application
Apache
24
Application
Oracle
86
OS
Debian
3
OS
Canonical
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3661-1.NASL
    descriptionIt was discovered that Batik incorrectly handled certain XML. An attacker could possibly use this to expose sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110225
    published2018-05-30
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110225
    titleUbuntu 14.04 LTS : batik vulnerability (USN-3661-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3661-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110225);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2018-8013");
      script_xref(name:"USN", value:"3661-1");
    
      script_name(english:"Ubuntu 14.04 LTS : batik vulnerability (USN-3661-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Batik incorrectly handled certain XML. An
    attacker could possibly use this to expose sensitive information.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3661-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libbatik-java package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libbatik-java");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libbatik-java", pkgver:"1.7.ubuntu-8ubuntu2.14.04.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libbatik-java");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-168AF81706.NASL
    descriptionSecurity fix for CVE-2018-8013. Updated to upstream release 1.10. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120250
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120250
    titleFedora 28 : batik (2018-168af81706)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-168af81706.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120250);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-8013");
      script_xref(name:"FEDORA", value:"2018-168af81706");
    
      script_name(english:"Fedora 28 : batik (2018-168af81706)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2018-8013. Updated to upstream release 1.10.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-168af81706"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected batik package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:batik");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"batik-1.10-1.fc28")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "batik");
    }
    
  • NASL familyMisc.
    NASL idORACLE_BI_PUBLISHER_OCT_2018_CPU.NASL
    descriptionThe version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.7.x prior to 11.1.1.7.181016, 11.1.1.9.x prior to 11.1.1.9.181016, 12.2.1.3.x prior to 12.2.1.3.181016, or 12.2.1.4.x prior to 12.2.1.4.181016. It is, therefore, affected by multiple vulnerabilities as noted in the October 2018 Critical Patch Update advisory: - A deserialization vulnerability exists in Apache Log4j 2.x before 2.8.2. An unauthenticated, remote attacker can exploit this, via a specially crafted binary, to execute arbitrary code on the target host (CVE-2017-5645). - An information disclosure vulnerability exists in Analytics Server, Oracle BI Publisher.Supported version affected is 12.2.1.3.0 An unauthenticated, remote attacker can exploit this, via HTTP, to disclose potentially sensitive information. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (CVE-2018-3204). - A deserialization vulnerability exists in Apache Batik 1.x before 1.10 due to subclass of `AbstractDocument`. An unauthenticated, remote attacker can exploit this, via deserializing subclass of `AbstractDocument`, to execute arbitrary code on the target host (CVE-2018-8013). Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-05-31
    modified2019-01-03
    plugin id120948
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120948
    titleOracle Business Intelligence Publisher Multiple Vulnerabilities (October 2018 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120948);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/27");
    
      script_cve_id("CVE-2017-5645", "CVE-2018-3204", "CVE-2018-8013");
      script_bugtraq_id(97702, 104252, 105623);
    
      script_name(english:"Oracle Business Intelligence Publisher Multiple Vulnerabilities (October 2018 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Business Intelligence Publisher running on the
    remote host is 11.1.1.7.x prior to 11.1.1.7.181016, 11.1.1.9.x prior
    to 11.1.1.9.181016, 12.2.1.3.x prior to 12.2.1.3.181016, or
    12.2.1.4.x prior to 12.2.1.4.181016. It is, therefore, affected by 
    multiple vulnerabilities as noted in the October 2018 Critical 
    Patch Update advisory:
    
      - A deserialization vulnerability exists in Apache Log4j
        2.x before 2.8.2. An unauthenticated, remote attacker
        can exploit this, via a specially crafted binary, to
        execute arbitrary code on the target host
        (CVE-2017-5645).
    
      - An information disclosure vulnerability exists in 
        Analytics Server, Oracle BI Publisher.Supported version
        affected is 12.2.1.3.0 An unauthenticated, remote
        attacker can exploit this, via HTTP, to disclose 
        potentially sensitive information. Successful attacks
        require human interaction from a person other than the
        attacker and while the vulnerability is in Oracle
        Business Intelligence Enterprise Edition, attacks may 
        significantly impact additional products
        (CVE-2018-3204).
    
      - A deserialization vulnerability exists in Apache Batik 
        1.x before 1.10 due to subclass of `AbstractDocument`.
        An unauthenticated, remote attacker can exploit this, 
        via deserializing subclass of `AbstractDocument`, to
        execute arbitrary code on the target host
        (CVE-2018-8013).
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?705136d8");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the October 2018 Oracle
    Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8013");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"agent", value:"all");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence_publisher");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_bi_publisher_installed.nbin", "oracle_bi_publisher_detect.nasl");
      script_require_keys("installed_sw/Oracle Business Intelligence Publisher");
    
      exit(0);
    }
    
    include('vcf.inc');
    include('vcf_extras.inc');
    appname = 'Oracle Business Intelligence Publisher';
    app_info = vcf::get_app_info(app:appname);
    
    # 11.1.1.7.x - Bundle: 28632415 | Patch: 28500572
    # 11.1.1.9.x - Bundle: 28632479 | Patch: 28609078
    # 12.2.1.3.x - Bundle: 28291838 | Patch: 28291838
    # 12.2.1.4.x - Bundle: 28500593 | Patch: 28500593
    constraints = [
      {'min_version': '11.1.1.7', 'fixed_version': '11.1.1.7.181016', 'patch': '28500572', 'bundle': '28632415'},
      {'min_version': '11.1.1.9', 'fixed_version': '11.1.1.9.181016', 'patch': '28609078', 'bundle': '28632479'},
      {'min_version': '12.2.1.3', 'fixed_version': '12.2.1.3.181016', 'patch': '28291838', 'bundle': '28291838'},
      {'min_version': '12.2.1.4', 'fixed_version': '12.2.1.4.181016', 'patch': '28500593', 'bundle': '28500593'}
    ];
    
    vcf::oracle_bi_publisher::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyWindows
    NASL idORACLE_WEBCENTER_SITES_JUL_2019_CPU.NASL
    descriptionOracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities : - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Groovy)) due to a lack of isolation of object deserialization code. An unauthenticated, remote attacker can exploit this, via HTTP, to execute arbitrary code on the target host. (CVE-2016-6814) - A remote code execution vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Commons FileUpload)) due to an unspecified reason. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2016-1000031) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Apache Batik)) due to an issue with deserialization. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop functioning properly. (CVE-2018-8013) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Spring Framework)) due to an issue handling range requests with a high number of ranges, wide ranges that overlap, or both. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop responding. (CVE-2018-15765) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-05-03
    modified2020-04-29
    plugin id136091
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136091
    titleOracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136091);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/27");
    
      script_cve_id(
        "CVE-2016-6814",
        "CVE-2016-1000031",
        "CVE-2018-8013",
        "CVE-2018-15756"
      );
      script_xref(name:"IAVA", value:"2019-A-0256");
    
      script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application running on the remote host is affected by multiple security vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities :
    
      - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware
        (subcomponent: Advanced UI (Apache Groovy)) due to a lack of isolation of object deserialization code. An
        unauthenticated, remote attacker can exploit this, via HTTP, to execute arbitrary code on the target host.
        (CVE-2016-6814)
    
      - A remote code execution vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion
        Middleware (subcomponent: Advanced UI (Apache Commons FileUpload)) due to an unspecified reason. An
        unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
        (CVE-2016-1000031)
    
      - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion
        Middleware (subcomponent: Third Party Tools (Apache Batik)) due to an issue with deserialization. An
        unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop
        functioning properly. (CVE-2018-8013)
    
      - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion
        Middleware (subcomponent: Advanced UI (Spring Framework)) due to an issue handling range requests with
        a high number of ranges, wide ranges that overlap, or both. An unauthenticated, remote attacker can
        exploit this issue, via HTTP, to cause the application to stop responding. (CVE-2018-15765)
    
    Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's
    self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujul2019.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the July 2019 Oracle Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/29");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_webcenter_sites_installed.nbin");
      script_require_keys("SMB/WebCenter_Sites/Installed");
    
      exit(0);
    }
    
    get_kb_item_or_exit('SMB/WebCenter_Sites/Installed');
    
    port = get_kb_item('SMB/transport');
    if (isnull(port))
      port = 445;
    
    versions = get_kb_list('SMB/WebCenter_Sites/*/Version');
    if (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.');
    
    report = '';
    
    # vulnerable versions: 
    # - 12.2.1.3.0 - Revision 185862, Patch 29957990
    #     Note that the revision does not match up with the version suffix shown in the readme
    
    foreach key (keys(versions))
    {
      fix = '';
    
      version = versions[key];
      revision = get_kb_item(key - '/Version' + '/Revision');
      path = get_kb_item(key - '/Version' + '/Path');
    
      if (isnull(version) || isnull(revision)) continue;
    
      # Patch 29957990 - 12.2.1.3.0 < Revision 185862
      if (version =~ "^12\.2\.1\.3\.0$" && revision < 185862)
      {
        fix = '\n  Fixed revision : 185862' +
              '\n  Required patch : 29957990';
      }
    
      if (fix != '')
      {
        if (!isnull(path)) report += '\n  Path           : ' + path;
        report += '\n  Version        : ' + version +
                  '\n  Revision       : ' + revision +
                  fix + '\n';
      }
    }
    
    if (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    else audit(AUDIT_INST_VER_NOT_VULN, "Oracle WebCenter Sites");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4215.NASL
    descriptionMan Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a toolkit for processing SVG images, did not properly validate its input. This would allow an attacker to cause a denial-of-service, mount cross-site scripting attacks, or access restricted files on the server.
    last seen2020-06-01
    modified2020-06-02
    plugin id110316
    published2018-06-05
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110316
    titleDebian DSA-4215-1 : batik - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4215. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110316);
      script_version("1.4");
      script_cvs_date("Date: 2018/11/13 12:30:47");
    
      script_cve_id("CVE-2017-5662", "CVE-2018-8013");
      script_xref(name:"DSA", value:"4215");
    
      script_name(english:"Debian DSA-4215-1 : batik - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a
    toolkit for processing SVG images, did not properly validate its
    input. This would allow an attacker to cause a denial-of-service,
    mount cross-site scripting attacks, or access restricted files on the
    server."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860566"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899374"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/batik"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/batik"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/batik"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2018/dsa-4215"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the batik packages.
    
    For the oldstable distribution (jessie), these problems have been
    fixed in version 1.7+dfsg-5+deb8u1.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 1.8-4+deb9u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:batik");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"libbatik-java", reference:"1.7+dfsg-5+deb8u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libbatik-java", reference:"1.8-4+deb9u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1385.NASL
    descriptionMan Yue Mo discovered a security vulnerability in Apache Batik, an SVG image library. A missing check for the class type before calling newInstance when deserializing a subclass of AbstractDocument could lead to information disclosure. For Debian 7
    last seen2020-03-17
    modified2018-05-29
    plugin id110161
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110161
    titleDebian DLA-1385-1 : batik security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1385-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110161);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2018-8013");
    
      script_name(english:"Debian DLA-1385-1 : batik security update");
      script_summary(english:"Checks dpkg output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Man Yue Mo discovered a security vulnerability in Apache Batik, an SVG
    image library. A missing check for the class type before calling
    newInstance when deserializing a subclass of AbstractDocument could
    lead to information disclosure.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    1.7+dfsg-3+deb7u3.
    
    We recommend that you upgrade your batik packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/05/msg00016.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/batik"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected libbatik-java package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libbatik-java");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libbatik-java", reference:"1.7+dfsg-3+deb7u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-79792E0C64.NASL
    descriptionSecurity fix for CVE-2018-8013. Updated to upstream release 1.10. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-06-11
    plugin id110427
    published2018-06-11
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110427
    titleFedora 27 : batik (2018-79792e0c64)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-79792e0c64.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110427);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-8013");
      script_xref(name:"FEDORA", value:"2018-79792e0c64");
    
      script_name(english:"Fedora 27 : batik (2018-79792e0c64)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2018-8013. Updated to upstream release 1.10.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-79792e0c64"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected batik package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:batik");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"batik-1.10-1.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "batik");
    }
    

References