XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - batik: XML external entity processing vulnerability (CVE-2017-5662)

  - batik: information disclosure when deserializing (CVE-2018-8013)

  - XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache     Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a     crafted SVG file. (CVE-2015-0250)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - batik: XML external entity processing vulnerability (CVE-2017-5662)

  - batik: information disclosure when deserializing (CVE-2018-8013)

  - XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache     Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a     crafted SVG file. (CVE-2015-0250)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote host appears to be running IBM WebSphere Application Server 8.5 prior to 8.5.5.6.  Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as deployment descriptor security constraints are combined with ServletSecurity annotations on a servlet. This may allow a remote attacker to gain elevated privileges. (CVE-2014-8890)
 - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists in the IBM Global Security Kit (GSKit) due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits.  A man-in-the-middle (MitM) attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0138)
 - An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J.  A remote attacker can exploit this, via a crafted message, to determine where an encryption failure took place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226)
 - An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source.  A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250)
 - A privilege escalation vulnerability exists due to a flaw that occurs in 'full' profile and 'liberty' profile when using an OAuth grant password.  A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1885)
 - A privilege escalation vulnerability exists due to incorrect settings in the 'serveServletsbyClassname' functionality.  A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1927)
 - An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to identify the proxy server software by reading the HTTP 'Via' header. (CVE-2015-1932)
 - An unspecified flaw exists in the administrative console that allows a remote attacker, via the 'JSESSIONID' parameter, to hijack a user's session. (CVE-2015-1936)
 - A privilege escalation vulnerability exists due to an unspecified flaw that occurs when handling user roles.  A local attacker can exploit this to gain elevated privileges. (CVE-2015-1946)
 - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase.  A MitM attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808)
 - An unspecified flaw exists that allows an unauthenticated, remote attacker to spoof servlets or disclose sensitive information. (CVE-2015-4938)

The remote host appears to be running IBM WebSphere Application Server 8.0 prior to 8.0.0.11.  Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as deployment descriptor security constraints are combined with ServletSecurity annotations on a servlet. This may allow a remote attacker to gain elevated privileges. (CVE-2014-8890)
 - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists in the IBM Global Security Kit (GSKit) due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits.  A man-in-the-middle (MitM) attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0138)
 - An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J.  A remote attacker can exploit this, via a crafted message, to determine where an encryption failure took place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226)
 - An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source.  A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250)
 - A privilege escalation vulnerability exists due to a flaw that occurs in 'full' profile and 'liberty' profile when using an OAuth grant password.  A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1885)
 - A privilege escalation vulnerability exists due to incorrect settings in the 'serveServletsbyClassname' functionality.  A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1927)
 - An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to identify the proxy server software by reading the HTTP 'Via' header. (CVE-2015-1932)
 - An unspecified flaw exists in the administrative console that allows a remote attacker, via the 'JSESSIONID' parameter, to hijack a user's session. (CVE-2015-1936)
 - A privilege escalation vulnerability exists due to an unspecified flaw that occurs when handling user roles.  A local attacker can exploit this to gain elevated privileges. (CVE-2015-1946)
 - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase.  A MitM attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808)
 - An unspecified flaw exists that allows an unauthenticated, remote attacker to spoof servlets or disclose sensitive information. (CVE-2015-4938)

The remote host appears to be running IBM WebSphere Application Server 7.0 prior to 7.0.0.39. Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as deployment descriptor security constraints are combined with 'ServletSecurity' annotations on a servlet. This may allow a remote attacker to gain elevated privileges. (CVE-2014-8890)
 - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists in the IBM Global Security Kit (GSKit) due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits.  A man-in-the-middle (MitM) attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0138)
 - An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J.  A remote attacker can exploit this, via a crafted message, to determine where an encryption failure took place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226)
 - An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source.  A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250)
 - A privilege escalation vulnerability exists due to a flaw that occurs in 'full' profile and 'liberty' profile when using an OAuth grant password.  A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1885)
 - A privilege escalation vulnerability exists due to incorrect settings in the 'serveServletsbyClassname' functionality.  A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1927)
 - An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to identify the proxy server software by reading the HTTP 'Via' header. (CVE-2015-1932)
 - An unspecified flaw exists in the administrative console that allows a remote attacker, via the 'JSESSIONID' parameter, to hijack a user's session. (CVE-2015-1936)
 - A privilege escalation vulnerability exists due to an unspecified flaw that occurs when handling user roles.  A local attacker can exploit this to gain elevated privileges. (CVE-2015-1946)
 - A flaw exists that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses.  This allows a remote attacker to inject additional headers into responses to conduct HTTP response splitting attacks. (CVE-2015-2017)
 - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase.  A MitM attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808)
 - An unspecified flaw exists that allows an unauthenticated, remote attacker to spoof servlets or disclose sensitive information. (CVE-2015-4938)
 - An unspecified exists flaw in the 'Management' port. This may allow a remote attacker to execute arbitrary code. No further details have been provided by the vendor. (CVE-2015-1920)

The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.6. It is, therefore, potentially affected by multiple vulnerabilities :

  - A security feature bypass vulnerability, known as FREAK     (Factoring attack on RSA-EXPORT Keys), exists in the IBM     Global Security Kit (GSKit) due to the support of weak     EXPORT_RSA cipher suites with keys less than or equal to     512 bits. A man-in-the-middle attacker may be able to     downgrade the SSL/TLS connection to use EXPORT_RSA     cipher suites which can be factored in a short amount of     time, allowing the attacker to intercept and decrypt the     traffic. (CVE-2015-0138)

  - An information disclosure vulnerability exists due to a     flaw in the Bleichenbacher countermeasure implementation     in Apache WSS4J. A remote attacker can exploit this, via     a crafted message, to determine where an encryption     failure to place, allowing the attacker to gain access     to the plaintext symmetric key. (CVE-2015-0226)

  - An XML External Entity (XXE) vulnerability exists due to     an incorrectly configured XML parser that accepts XML     external entities from an untrusted source. A remote     attacker can exploit this, via specially crafted XML     data, to gain access to arbitrary files. (CVE-2015-0250)

  - A privilege escalation vulnerability exists due to a     flaw that occurs in 'full' profile and 'liberty' profile     when using an OAuth grant password. A remote attacker     can exploit this to gain elevated privileges.
    (CVE-2015-1885)

  - A privilege escalation vulnerability exists due to     incorrect settings in the serveServletsbyClassname     functionality. A remote attacker can exploit this to     gain elevated privileges. (CVE-2015-1927)

  - An information disclosure vulnerability exists that     allows an unauthenticated, remote attacker to identify     the proxy server software by reading the HTTP 'Via'     header. (CVE-2015-1932)

  - An unspecified flaw exists in the administrative console     that allows a remote attacker, via the 'JSESSIONID'     parameter, to hijack a user's session. (CVE-2015-1936)

  - A privilege escalation vulnerability exists due to an     unspecified flaw that occurs when handling user roles.
    A local attacker can exploit this to gain elevated     privileges. (CVE-2015-1946)   
  - A security feature bypass vulnerability exists, known as     Bar Mitzvah, due to improper combination of state data     with key data by the RC4 cipher algorithm during the     initialization phase. A man-in-the-middle attacker can     exploit this, via a brute-force attack using LSB values,     to decrypt the traffic. (CVE-2015-2808)

  - An unspecified flaw exists that allows an     unauthenticated, remote attacker to spoof servlets or     disclose sensitive information. (CVE-2015-4938)

Updated batik packages fix security vulnerability :

Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption (CVE-2015-0250).

Nicolas Gregoire and Kevin Schaller discovered that Batik, a toolkit for processing SVG images, would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption.

Nicolas Gregoire and Kevin Schaller discovered that Batik, a toolkit for processing SVG images, would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-2548-1 advisory.

    Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If     a user or automated system were tricked into opening a specially crafted SVG file, an attacker could     possibly obtain access to arbitrary files or cause resource consumption.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
199109	RHEL 7 : batik (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199095	RHEL 6 : batik (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
9716	IBM WebSphere Application Server 8.5 < 8.5.5.6 Multiple Vulnerabilities (FREAK)	Nessus Network Monitor	Web Servers	high
9713	IBM WebSphere Application Server 8.0 < 8.0.0.11 Multiple Vulnerabilities (FREAK)	Nessus Network Monitor	Web Servers	high
9700	IBM WebSphere Application Server 7.0 < 7.0.0.39 Multiple Vulnerabilities (FREAK)	Nessus Network Monitor	Web Servers	high
84639	IBM WebSphere Application Server 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.6 (FP6) Multiple Vulnerabilities (Bar Mitzvah) (FREAK)	Nessus	Web Servers	high
82738	Mandriva Linux Security Advisory : batik (MDVSA-2015:203)	Nessus	Mandriva Local Security Checks	medium
82302	Debian DSA-3205-1 : batik - security update	Nessus	Debian Local Security Checks	medium
82299	Debian DLA-182-1 : batik security update	Nessus	Debian Local Security Checks	medium
82267	Ubuntu 14.04 LTS : Batik vulnerability (USN-2548-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2015-0250

medium

Tenable Plugins

critical

critical

high

high

high

high

medium

medium

medium

medium