First published: Wed May 23 2018(Updated: )
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
ubuntu/batik | <1.10-1 | 1.10-1 |
ubuntu/batik | <1.7.ubuntu-8ubuntu2.14.04.3 | 1.7.ubuntu-8ubuntu2.14.04.3 |
>=1.0<1.10 | ||
=7.0 | ||
=8.0 | ||
=9.0 | ||
=14.04 | ||
=11.1.1.7.0 | ||
=11.1.1.9.0 | ||
=12.2.1.3.0 | ||
=12.2.1.4.0 | ||
<8.3 | ||
=6.3.0 | ||
<7.2 | ||
=12.2.1.3.0 | ||
=11.1.1.7.0 | ||
=12.1.3.0.0 | ||
>=7.3.3.0.0<=7.3.3.0.2 | ||
>=8.0.0.0.0<=8.0.7.1.0 | ||
=12.2.1.2 | ||
=12.2.1.3 | ||
=17.1 | ||
=17.2 | ||
=17.3 | ||
=10.1.1 | ||
=10.2.1 | ||
=10.0 | ||
=10.2 | ||
=9.2 | ||
=13.3 | ||
=13.4 | ||
=14 | ||
=14.1 | ||
=14.1 | ||
=17.0 | ||
=5.1 | ||
=5.2 | ||
=15.0 | ||
=16.0 | ||
=13.4 | ||
=14.0 | ||
=14.1 | ||
=14.1 | ||
Apache Batik | >=1.0<1.10 | |
Debian Debian Linux | =7.0 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =14.04 | |
Oracle Business Intelligence | =11.1.1.7.0 | |
Oracle Business Intelligence | =11.1.1.9.0 | |
Oracle Business Intelligence | =12.2.1.3.0 | |
Oracle Business Intelligence | =12.2.1.4.0 | |
Oracle Communications Diameter Signaling Router | <8.3 | |
Oracle Communications Metasolv Solution | =6.3.0 | |
Oracle Communications WebRTC Session Controller | <7.2 | |
Oracle Data Integrator | =12.2.1.3.0 | |
Oracle Enterprise Repository | =11.1.1.7.0 | |
Oracle Enterprise Repository | =12.1.3.0.0 | |
Oracle Financial Services Analytical Applications Infrastructure | >=7.3.3.0.0<=7.3.3.0.2 | |
Oracle Financial Services Analytical Applications Infrastructure | >=8.0.0.0.0<=8.0.7.1.0 | |
Oracle Fusion Middleware MapViewer | =12.2.1.2 | |
Oracle Fusion Middleware MapViewer | =12.2.1.3 | |
Oracle Instantis Enterprisetrack | =17.1 | |
Oracle Instantis Enterprisetrack | =17.2 | |
Oracle Instantis Enterprisetrack | =17.3 | |
Oracle Insurance Calculation Engine | =10.1.1 | |
Oracle Insurance Calculation Engine | =10.2.1 | |
Oracle Insurance Policy Administration J2EE | =10.0 | |
Oracle Insurance Policy Administration J2EE | =10.2 | |
Oracle Jd Edwards Enterpriseone Tools | =9.2 | |
Oracle Retail Back Office | =13.3 | |
Oracle Retail Back Office | =13.4 | |
Oracle Retail Back Office | =14 | |
Oracle Retail Back Office | =14.1 | |
Oracle Retail Central Office | =14.1 | |
Oracle Retail Integration Bus | =17.0 | |
Oracle Retail Order Broker | =5.1 | |
Oracle Retail Order Broker | =5.2 | |
Oracle Retail Order Broker | =15.0 | |
Oracle Retail Order Broker | =16.0 | |
Oracle Retail Point-of-Service | =13.4 | |
Oracle Retail Point-of-Service | =14.0 | |
Oracle Retail Point-of-Service | =14.1 | |
Oracle Retail Returns Management | =14.1 | |
maven/org.apache.xmlgraphics:batik | >=1.0<=1.9.1 | 1.10 |
debian/batik | 1.10-2+deb10u1 1.10-2+deb10u3 1.12-4+deb11u2 1.12-4+deb11u1 1.16+dfsg-1+deb12u1 1.17+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-8013 is a vulnerability in Apache Batik 1.x before 1.10 that allows for arbitrary code execution.
CVE-2018-8013 has a severity rating of 9.8, which is considered critical.
CVE-2018-8013 affects versions of Apache Batik 1.x before 1.10.
To fix CVE-2018-8013, update Apache Batik to version 1.10 or later.
You can find more information about CVE-2018-8013 on the Debian Security Tracker, MITRE CVE database, and Openwall mailing list.