Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP. This issue affects Apache XML Graphics FOP: 2.9. Users are recommended to upgrade to version 2.10, which fixes the issue.

The version of Oracle Business Process Management Suite installed on the remote host is affected by multiple vulnerabilities, as referenced in the April 2025 CPU advisory, as follows:

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Composer, Common (Apache Commons Compress)). The supported version that is affected     is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the     infrastructure where Oracle Business Process Management Suite executes to compromise Oracle Business     Process Management Suite. Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang     or frequently repeatable crash (complete DOS) of Oracle Business Process Management Suite. (CVE-2024-25710)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Plugins (Apache FOP)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle Business Process Management Suite accessible     data. (CVE-2024-28168)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component:
    Composer, Third Party (Apache Avro)). The supported version that is affected is 12.2.1.4.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Business Process Management Suite accessible data as     well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data     and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Process     Management Suite. (CVE-2024-47561)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Runtime Engine (Apache Mina)). Supported versions that are affected are 12.2.1.4.0 and     14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability     can result in takeover of Oracle Business Process Management Suite. (CVE-2024-52046)


Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.
    This issue affects Apache XML Graphics FOP: 2.9. Users are recommended to upgrade to version 2.10, which     fixes the issue. (CVE-2024-28168)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4054-1 advisory.

    xmlgraphics-fop was updated from version 2.8 to 2.10:

    - Security issues fixed:

      * CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428)

    - Upstream changes and bugs fixed:

      * Version 2.10:

        + footnote-body ignores rl-tb writing mode         + SVG tspan content is displayed out of place         + Added new schema to handle pdf/a and pdfa/ua         + Correct fop version at runtime         + NoSuchElementException when using font with no family name         + Resolve classpath for binary distribution         + Switch to spotbugs         + Set an automatic module name         + Rename packages to avoid conflicts with modules         + Resize table only for multicolumn page         + Missing jars in servlet         + Optimise performance of PNG with alpha using raw loader         + basic-link not navigating to corresponding footnote         + Added option to sign PDF         + Added secure processing for XSL input         + Allow sections which need security permissions to be run when AllPermission denied in caller code         + Remove unused PDFStructElem         + Remove space generated by fo:wrapper         + Reset content length for table changing ipd         + Added alt text to PDF signature         + Allow change of resource level for SVG in AFP         + Exclude shape not in clipping path for AFP         + Only support 1 column for redo of layout without page pos only         + Switch to Jakarta servlet API         + NPE when list item is split alongside an ipd change         + Added mandatory MODCA triplet to AFP         + Redo layout for multipage columns         + Added image mask option for AFP         + Skip written block ipds inside float         + Allow curly braces for src url         + Missing content for last page with change ipd         + Added warning when different pdf languages are used         + Only restart line manager when there is a linebreak for blocklayout

      * Version 2.9:

        + Values in PDF Number Trees must be indirect references         + Do not delete files on syntax errors using command line         + Surrogate pair edge-case causes Exception         + Reset character spacing         + SVG text containing certain glyphs isn't rendered         + Remove duplicate classes from maven classpath         + Allow use of page position only on redo of layout         + Failure to render multi-block itemBody alongside float         + Update to PDFBox 2.0.27         + NPE if link destination is missing with accessibility         + Make property cache thread safe         + Font size was rounded to 0 for AFP TTF         + Cannot process a SVG using mvn jars         + Remove serializer jar         + Allow creating a PDF 2.0 document         + Text missing after page break inside table inline         + IllegalArgumentException for list in a table         + Table width may be too wide when layout width changes         + NPE when using broken link and PDF 1.5         + Allow XMP at PDF page level         + Symbol font was not being mapped to unicode         + Correct font differences table for Chrome         + Link against Java 8 API         + Added support for font-selection-strategy=character-by-character         + Merge form fields in external PDFs         + Fixed test for Java 11

    xmlgraphics-batik was updated from version 1.17 to 1.18:

    - PNG transcoder references nonexistent class
    - Set offset to 0 if missing in stop tag
    - Validate throws NPE
    - Fixed missing arabic characters
    - Animated rotate tranform ignores y-origin at exactly 270 degrees
    - Set an automatic module name
    - Ignore inkscape properties
    - Switch to spotbugs
    - Allow source and target resolution configuration

    xmlgraphics-commons was updated from version 2.8 to 2.10:

    - Fixed test for Java 11
    - Allow XMP at PDF page level
    - Allow source resolution configuration
    - Added new schema to handle pdf/a and pdfa/ua
    - Set an automatic module name
    - Switch to spotbugs
    - Do not use a singleton for ImageImplRegistry

    javapackages-tools was updated from version 6.3.0 to 6.3.4:

    - Version 6.3.4:

      * A corner case when which is not present
      * Remove dependency on which
      * Simplify after the which -> type -p change
      * jpackage_script: Remove pointless assignment when %java_home is unset
      * Don't export JAVA_HOME (bsc#1231347)

    - Version 6.3.2:

      * Search for JAVACMD under JAVA_HOME only if it's set
      * Obsolete set_jvm and set_jvm_dirs functions
      * Drop unneeded _set_java_home function
      * Remove JAVA_HOME check from check_java_env function
      * Bump codecov/codecov-action from 2.0.2 to 4.6.0
      * Bump actions/setup-python from 4 to 5
      * Bump actions/checkout from 2 to 4
      * Added custom dependabot config
      * Remove the test for JAVA_HOME and error if it is not set
      * java-functions: Remove unneeded local variables
      * Fixed build status shield

    - Version 6.3.1:

      * Allow missing components with abs2rel
      * Fixed tests with python 3.4
      * Sync spec file from Fedora
      * Drop default JRE/JDK
      * Fixed the use of java-functions in scripts
      * Test that we don't bomb on <relativePath/>
      * Test variable expansion in artifactId
      * Interpolate properties also in the current artifact
      * Rewrite abs2rel in shell
      * Use asciidoctor instead of asciidoc
      * Fixed incompatibility with RPM 4.20
      * Reproducible exclusions order in maven metadata
      * Do not bomb on <relativePath/> construct
      * Make maven_depmap order of aliases reproducible

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
234503	Oracle Business Process Management Suite (April 2025 CPU)	Nessus	Misc.	critical
227944	Linux Distros Unpatched Vulnerability : CVE-2024-28168	Nessus	Misc.	high
212526	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop (SUSE-SU-2024:4054-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2024-28168

medium

Tenable Plugins

critical

high

high