CVE-2018-8013

high-risk

Published 2018-05-24

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Do I need to act?

1.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 55a7e24c4f4713efa012263e2262d40238d0c633

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Batik

Debian Linux

Ubuntu Linux

Business Intelligence

Communications Diameter Signaling Router

Communications Metasolv Solution

Communications Webrtc Session Controller

Data Integrator

Enterprise Repository

Financial Services Analytical Applications Infrastructure

Fusion Middleware Mapviewer

Instantis Enterprisetrack

Affected Vendors

Debian Apache Oracle Canonical

References (34)

Patch http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Third Party Advisory http://www.securityfocus.com/bid/104252

Third Party Advisory http://www.securitytracker.com/id/1040995

https://lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463...

https://lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8...

Mailing List https://lists.debian.org/debian-lts-announce/2018/05/msg00016.html

https://mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c0...

https://security.gentoo.org/glsa/202401-11

Third Party Advisory https://usn.ubuntu.com/3661-1/

Third Party Advisory https://www.debian.org/security/2018/dsa-4215

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Third Party Advisory https://xmlgraphics.apache.org/security.html

Patch http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Third Party Advisory http://www.securityfocus.com/bid/104252

and 14 more references

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 4/34 · Minimal

Exposure 24/34 · High