[CVE-2019-17566] Apache XML Graphics Batik SSRF vulnerability
76 views
Skip to first unread message
Aditya Walvekar
Jun 19, 2020, 1:44:38 AM6/19/20
to ESAPI Project Users
Hi,
Our application is using the latest ESAPI version (2.2.0.0).
Recently there has been a Server Side request forgery vulnerability reported for Apache batik <= 1.12.
Since ESAPI uses Apache Batik css version 1.11 , so the application is exposed to the vulnerability .
So just wanted to know if there is any plan from ESAPI side to upgrade the version of Apache Batik to 1.13 which can mitigate this vulnerability.
Vulnerability :
Thanks and Regards
Aditya
Kevin W. Wall
Jun 19, 2020, 2:11:29 AM6/19/20
to Aditya Walvekar, ESAPI Project Users
Synk has already created 3 or 4 PRs to address outdated 3rd party libraries. I just have to run our JUnit test suite to make sure nothing breaks.
In the meantime, rest assured that while we pull in versions directly from our pom.xml (because at the time, AntiSamy was not being updated and I was trying to work around some other Batik related CVEs), OWASP has no direct dependency on Batik. It is actually a transitive dependency of AntiSamy. So if you avoid the ESAPI classes / methods that do not use AntiSamy, you are not exposed to this CVE via ESAPI.
I hope to set some time this weekend to get the release notes into shape and get a release out by the end of the month.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/1ea679a6-ea1c-4eee-8523-ac5da3e4f7eco%40owasp.org.
Aditya Walvekar
Jun 19, 2020, 2:14:47 AM6/19/20
to ESAPI Project Users, aditya....@gmail.com
Thanks a lot for the quick update Kevin!!
On Friday, 19 June 2020 11:41:29 UTC+5:30, Kevin W. Wall wrote:
Synk has already created 3 or 4 PRs to address outdated 3rd party libraries. I just have to run our JUnit test suite to make sure nothing breaks.In the meantime, rest assured that while we pull in versions directly from our pom.xml (because at the time, AntiSamy was not being updated and I was trying to work around some other Batik related CVEs), OWASP has no direct dependency on Batik. It is actually a transitive dependency of AntiSamy. So if you avoid the ESAPI classes / methods that do not use AntiSamy, you are not exposed to this CVE via ESAPI.I hope to set some time this weekend to get the release notes into shape and get a release out by the end of the month.-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Fri, Jun 19, 2020, 01:44 Aditya Walvekar <aditya...@gmail.com> wrote:
Hi,--Our application is using the latest ESAPI version (2.2.0.0).Recently there has been a Server Side request forgery vulnerability reported for Apache batik <= 1.12.Since ESAPI uses Apache Batik css version 1.11 , so the application is exposed to the vulnerability .So just wanted to know if there is any plan from ESAPI side to upgrade the version of Apache Batik to 1.13 which can mitigate this vulnerability.Vulnerability :Thanks and RegardsAditya
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-users+unsub...@owasp.org.
Kevin W. Wall
Jun 20, 2020, 9:38:16 PM6/20/20
to Aditya Walvekar, ESAPI Project Users, Dave Wichers
Hmm. Bad news.
Looks like I get a conflict / compile time error on Batik-CSS 1.13 as AntiSamy wants only 1.12. I have created a PR for AntiSamy (PR #46) so once that is merged and a new version pushed to Maven Central, then I will be able to update to 1.13. We already had tried to exclude this to work around similar problems before, but now I am getting this error from 'maven-enforcer-plugin:3.0.0-M2:enforce' when I try to execute the 'mvn compile' goal:
Dependency convergence error for org.apache.xmlgraphics:batik-css:1.12 paths to dependency are:
+-org.owasp.esapi:esapi:2.2.1.0-SNAPSHOT
+-org.owasp.antisamy:antisamy:1.5.9
+-org.apache.xmlgraphics:batik-css:1.12
and
+-org.owasp.esapi:esapi:2.2.1.0-SNAPSHOT
+-org.apache.xmlgraphics:batik-css:1.13
+-org.owasp.esapi:esapi:2.2.1.0-SNAPSHOT
+-org.owasp.antisamy:antisamy:1.5.9
+-org.apache.xmlgraphics:batik-css:1.12
and
+-org.owasp.esapi:esapi:2.2.1.0-SNAPSHOT
+-org.apache.xmlgraphics:batik-css:1.13
So the only way around this that I see is to get AntiSamy to update first.
-kevin
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/1ea679a6-ea1c-4eee-8523-ac5da3e4f7eco%40owasp.org.
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/883eeea5-972b-47d4-955b-bb282d120025o%40owasp.org.
Aditya Walvekar
Jun 20, 2020, 10:53:40 PM6/20/20
to Kevin W. Wall, ESAPI Project Users, Dave Wichers
Oh... Alright!!
Thanks for the update Kevin!!
Reply all
Reply to author
Forward
0 new messages