Vulnerability Description
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Batik | >= 1.0, < 1.10 |
| Debian | Debian Linux | 7.0 |
| Canonical | Ubuntu Linux | 14.04 |
| Oracle | Business Intelligence | 11.1.1.7.0 |
| Oracle | Communications Diameter Signaling Router | < 8.3 |
| Oracle | Communications Metasolv Solution | 6.3.0 |
| Oracle | Communications Webrtc Session Controller | < 7.2 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 7.3.3.0.0, <= 7.3.3.0.2 |
| Oracle | Fusion Middleware Mapviewer | 12.2.1.2 |
| Oracle | Instantis Enterprisetrack | 17.1 |
| Oracle | Insurance Calculation Engine | 10.1.1 |
| Oracle | Insurance Policy Administration J2Ee | 10.0 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2 |
| Oracle | Retail Back Office | 13.3 |
| Oracle | Retail Central Office | 14.1 |
| Oracle | Retail Integration Bus | 17.0 |
| Oracle | Retail Order Broker | 5.1 |
| Oracle | Retail Point-Of-Service | 13.4 |
Related Weaknesses (CWE)
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
- http://www.securityfocus.com/bid/104252Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1040995Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463
- https://lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8
- https://lists.debian.org/debian-lts-announce/2018/05/msg00016.htmlMailing ListThird Party Advisory
- https://mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c0
- https://security.gentoo.org/glsa/202401-11
- https://usn.ubuntu.com/3661-1/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4215Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatchThird Party Advisory
FAQ
What is CVE-2018-8013?
CVE-2018-8013 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of ...
How severe is CVE-2018-8013?
CVE-2018-8013 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-8013?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Batik, Debian Debian Linux, Canonical Ubuntu Linux, Oracle Business Intelligence, Oracle Communications Diameter Signaling Router.