In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0777-1 advisory.

  - In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed     to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the     user context in which the exploitable application is running. If the user is root a full compromise of the     server - including confidential or sensitive files - would be possible. XXE can also be used to attack the     availability of the server via denial of service as the references within a xml document can trivially     trigger an amplification attack. (CVE-2017-5662)

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.7.x prior to 11.1.1.7.180417 or 11.1.1.9.x prior to 11.1.1.9.180417, similarly, versions  12.2.1.2.x prior to 12.2.1.2.180116 and 12.2.1.3.x prior to 12.2.1.3.180116 are affected as noted in the April 2018 Critical Patch Update advisory. The Oracle Business Intelligence Publisher installed on the remote host is affected by multiple vulnerabilities:

  - A vulnerability can be exploited by a remote attacker     by sending a crafted serialized Java object. A     successful attack would allow the attacker to execute     arbitrary commands on the vulnerable server     (CVE-2015-7501).

  - A vulnerability exists on Apache Batik before 1.9.     The vulnerability would allow an attacker to send a     malicious SVG file to a user. An attacker who     successfully exploits this vulnerability could result     in the compromise of the server (CVE-2017-5662).

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a toolkit for processing SVG images, did not properly validate its input. This would allow an attacker to cause a denial-of-service, mount cross-site scripting attacks, or access restricted files on the server.

Update to upstream version 1.9. Fixes CVE-2017-5662.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Lars Krapf and Pierre Ernst discovered that Apache Batik incorrectly handled XML external entities. A remote attacker could possibly use this issue to obtain sensitive files from the filesystem, or cause a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2017-5662

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2017-5662

----

Add missing requires on xmlgraphics-commons

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running.
If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

For Debian 7 'Wheezy', these problems have been fixed in version 1.7+dfsg-3+deb7u2.

We recommend that you upgrade your batik packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
191700	SUSE SLES12 Security Update : xmlgraphics-batik (SUSE-SU-2024:0777-1)	Nessus	SuSE Local Security Checks	high
119939	Oracle Business Intelligence Publisher Multiple Vulnerabilities (April 2018 CPU)	Nessus	Misc.	critical
110316	Debian DSA-4215-1 : batik - security update	Nessus	Debian Local Security Checks	critical
101662	Fedora 26 : batik (2017-7a5f625013)	Nessus	Fedora Local Security Checks	high
100099	Ubuntu 14.04 LTS : Apache Batik vulnerability (USN-3280-1)	Nessus	Ubuntu Local Security Checks	high
100079	Fedora 24 : batik (2017-aff3dd3101)	Nessus	Fedora Local Security Checks	high
100074	Fedora 25 : batik (2017-43b46cd2da)	Nessus	Fedora Local Security Checks	high
99737	Debian DLA-926-1 : batik security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-5662

high

Tenable Plugins

high

critical

critical

high

high

high

high

high