CVE-2018-8013
First published: Wed May 23 2018(Updated: )
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/batik | <1.10-1 | 1.10-1 |
| ubuntu/batik | <1.7.ubuntu-8ubuntu2.14.04.3 | 1.7.ubuntu-8ubuntu2.14.04.3 |
| >=1.0<1.10 | ||
| =7.0 | ||
| =8.0 | ||
| =9.0 | ||
| =14.04 | ||
| =11.1.1.7.0 | ||
| =11.1.1.9.0 | ||
| =12.2.1.3.0 | ||
| =12.2.1.4.0 | ||
| <8.3 | ||
| =6.3.0 | ||
| <7.2 | ||
| =12.2.1.3.0 | ||
| =11.1.1.7.0 | ||
| =12.1.3.0.0 | ||
| >=7.3.3.0.0<=7.3.3.0.2 | ||
| >=8.0.0.0.0<=8.0.7.1.0 | ||
| =12.2.1.2 | ||
| =12.2.1.3 | ||
| =17.1 | ||
| =17.2 | ||
| =17.3 | ||
| =10.1.1 | ||
| =10.2.1 | ||
| =10.0 | ||
| =10.2 | ||
| =9.2 | ||
| =13.3 | ||
| =13.4 | ||
| =14 | ||
| =14.1 | ||
| =14.1 | ||
| =17.0 | ||
| =5.1 | ||
| =5.2 | ||
| =15.0 | ||
| =16.0 | ||
| =13.4 | ||
| =14.0 | ||
| =14.1 | ||
| =14.1 | ||
| Apache Batik | >=1.0<1.10 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =14.04 | |
| Oracle Business Intelligence | =11.1.1.7.0 | |
| Oracle Business Intelligence | =11.1.1.9.0 | |
| Oracle Business Intelligence | =12.2.1.3.0 | |
| Oracle Business Intelligence | =12.2.1.4.0 | |
| Oracle Communications Diameter Signaling Router | <8.3 | |
| Oracle Communications Metasolv Solution | =6.3.0 | |
| Oracle Communications WebRTC Session Controller | <7.2 | |
| Oracle Data Integrator | =12.2.1.3.0 | |
| Oracle Enterprise Repository | =11.1.1.7.0 | |
| Oracle Enterprise Repository | =12.1.3.0.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=7.3.3.0.0<=7.3.3.0.2 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.0.0.0<=8.0.7.1.0 | |
| Oracle Fusion Middleware MapViewer | =12.2.1.2 | |
| Oracle Fusion Middleware MapViewer | =12.2.1.3 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Insurance Calculation Engine | =10.1.1 | |
| Oracle Insurance Calculation Engine | =10.2.1 | |
| Oracle Insurance Policy Administration J2EE | =10.0 | |
| Oracle Insurance Policy Administration J2EE | =10.2 | |
| Oracle Jd Edwards Enterpriseone Tools | =9.2 | |
| Oracle Retail Back Office | =13.3 | |
| Oracle Retail Back Office | =13.4 | |
| Oracle Retail Back Office | =14 | |
| Oracle Retail Back Office | =14.1 | |
| Oracle Retail Central Office | =14.1 | |
| Oracle Retail Integration Bus | =17.0 | |
| Oracle Retail Order Broker | =5.1 | |
| Oracle Retail Order Broker | =5.2 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Retail Order Broker | =16.0 | |
| Oracle Retail Point-of-Service | =13.4 | |
| Oracle Retail Point-of-Service | =14.0 | |
| Oracle Retail Point-of-Service | =14.1 | |
| Oracle Retail Returns Management | =14.1 | |
| maven/org.apache.xmlgraphics:batik | >=1.0<=1.9.1 | 1.10 |
| debian/batik | 1.10-2+deb10u1 1.10-2+deb10u3 1.12-4+deb11u2 1.12-4+deb11u1 1.16+dfsg-1+deb12u1 1.17+dfsg-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2018-8013
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
- http://www.openwall.com/lists/oss-security/2018/05/23/1
- https://issues.apache.org/jira/browse/BATIK-1222
- https://svn.apache.org/viewvc?view=revision&revision=1831241
- https://security-tracker.debian.org/tracker/CVE-2017-5662
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899374
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/104252
- http://www.securitytracker.com/id/1040995
- https://lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463a7cee08126ee44@%3Ccommits.xmlgraphics.apache.org%3E
- https://lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8935acb8d0fab19@%3Ccommits.xmlgraphics.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/05/msg00016.html
- https://mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c000701d3f28f$d01860a0$704921e0$@gmail.com%3e
- https://usn.ubuntu.com/3661-1/
- https://www.debian.org/security/2018/dsa-4215
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://xmlgraphics.apache.org/security.html
- https://mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c000701d3f28f%24d01860a0%24704921e0%24%40gmail.com%3e
- https://lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463a7cee08126ee44%40%3Ccommits.xmlgraphics.apache.org%3E
- https://lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8935acb8d0fab19%40%3Ccommits.xmlgraphics.apache.org%3E
- https://security.gentoo.org/glsa/202401-11
- https://launchpad.net/bugs/cve/CVE-2018-8013
- https://svn.apache.org/r1831241
- https://marc.info/?l=oss-security&m=152707788503264&w=2
- https://nvd.nist.gov/vuln/detail/CVE-2018-8013
- https://github.com/apache/xmlgraphics-batik/commit/f91125b26a6ca2b7a1195f1842360bed03629839
- https://ubuntu.com/security/CVE-2018-8013
- https://usn.ubuntu.com/3661-1
- https://github.com/advisories/GHSA-25gw-4pcc-45cf (Advisory)
- https://ubuntu.com/security/notices/USN-3661-1
- https://www.cve.org/CVERecord?id=CVE-2018-8013
- https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-dom/src/main/java/org/apache/batik/dom/AbstractDocument.java?r1=1831241&r2=1831240&pathrev=1831241
Frequently Asked Questions
What is CVE-2018-8013?
CVE-2018-8013 is a vulnerability in Apache Batik 1.x before 1.10 that allows for arbitrary code execution.
What is the severity of CVE-2018-8013?
CVE-2018-8013 has a severity rating of 9.8, which is considered critical.
How does CVE-2018-8013 affect Apache Batik?
CVE-2018-8013 affects versions of Apache Batik 1.x before 1.10.
How can I fix CVE-2018-8013?
To fix CVE-2018-8013, update Apache Batik to version 1.10 or later.
Where can I find more information about CVE-2018-8013?
You can find more information about CVE-2018-8013 on the Debian Security Tracker, MITRE CVE database, and Openwall mailing list.
- collector/debian-bugs
- alias/CVE-2018-8013
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/launchpad-cve
- source/Launchpad
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/severity
- agent/author
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- agent/event
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-25gw-4pcc-45cf
- agent/references
- agent/last-modified-date
- agent/tags
- collector/github-advisory
- collector/usn-cve
- source/Ubuntu
- vendor/apache
- canonical/apache batik
- version/apache batik/1.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- vendor/oracle
- canonical/oracle business intelligence
- version/oracle business intelligence/11.1.1.7.0
- version/oracle business intelligence/11.1.1.9.0
- version/oracle business intelligence/12.2.1.3.0
- version/oracle business intelligence/12.2.1.4.0
- canonical/oracle communications diameter signaling router
- canonical/oracle communications metasolv solution
- version/oracle communications metasolv solution/6.3.0
- canonical/oracle communications webrtc session controller
- canonical/oracle data integrator
- version/oracle data integrator/12.2.1.3.0
- canonical/oracle enterprise repository
- version/oracle enterprise repository/11.1.1.7.0
- version/oracle enterprise repository/12.1.3.0.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/7.3.3.0.0
- version/oracle financial services analytical applications infrastructure/7.3.3.0.2
- version/oracle financial services analytical applications infrastructure/8.0.0.0.0
- version/oracle financial services analytical applications infrastructure/8.0.7.1.0
- canonical/oracle fusion middleware mapviewer
- version/oracle fusion middleware mapviewer/12.2.1.2
- version/oracle fusion middleware mapviewer/12.2.1.3
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle insurance calculation engine
- version/oracle insurance calculation engine/10.1.1
- version/oracle insurance calculation engine/10.2.1
- canonical/oracle insurance policy administration j2ee
- version/oracle insurance policy administration j2ee/10.0
- version/oracle insurance policy administration j2ee/10.2
- canonical/oracle jd edwards enterpriseone tools
- version/oracle jd edwards enterpriseone tools/9.2
- canonical/oracle retail back office
- version/oracle retail back office/13.3
- version/oracle retail back office/13.4
- version/oracle retail back office/14
- version/oracle retail back office/14.1
- canonical/oracle retail central office
- version/oracle retail central office/14.1
- canonical/oracle retail integration bus
- version/oracle retail integration bus/17.0
- canonical/oracle retail order broker
- version/oracle retail order broker/5.1
- version/oracle retail order broker/5.2
- version/oracle retail order broker/15.0
- version/oracle retail order broker/16.0
- canonical/oracle retail point-of-service
- version/oracle retail point-of-service/13.4
- version/oracle retail point-of-service/14.0
- version/oracle retail point-of-service/14.1
- canonical/oracle retail returns management
- version/oracle retail returns management/14.1
- package-manager/debian
- package-manager/maven
- package-manager/ubuntu