===================================================================== CERT-Renater Note d'Information No. 2022/VULN348 _____________________________________________________________________ DATE : 23/09/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Batik 1.x versions prior to 1.15+. ===================================================================== https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b _____________________________________________________________________ [CVE-2022-40146] Apache Batik information disclosure vulnerability Posted to general@xmlgraphics.apache.org Simon Steiner - jeudi 22 septembre 2022 14:53:09 UTC+2 CVE-2022-40146: Apache Batik information disclosure vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Batik 1.0 - 1.14 Description: Jar url should be blocked by DefaultScriptSecurity Mitigation: Users should upgrade to Batik 1.15+ Credit: This issue was independently reported by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative References: http://xmlgraphics.apache.org/security.html https://issues.apache.org/jira/browse/BATIK-1335 The Apache XML Graphics team. _____________________________________________________________________ [CVE-2022-38398] Apache Batik information disclosure vulnerability Posted to general@xmlgraphics.apache.org Simon Steiner - jeudi 22 septembre 2022 14:51:04 UTC+2 CVE-2022-38398: Apache Batik information disclosure vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Batik 1.0 - 1.14 Description: DefaultExternalResourceSecurity should block urls loaded thru the jar protocol Mitigation: Users should upgrade to Batik 1.15+ Credit: This issue was independently reported by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative References: http://xmlgraphics.apache.org/security.html https://issues.apache.org/jira/browse/BATIK-1331 The Apache XML Graphics team. _____________________________________________________________________ [CVE-2022-38648] Apache Batik information disclosure vulnerability Posted to general@xmlgraphics.apache.org Simon Steiner - jeudi 22 septembre 2022 14:55:12 UTC+2 CVE-2022-38648: Apache Batik information disclosure vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Batik 1.0 - 1.14 Description: Block external resource before calling fop Mitigation: Users should upgrade to Batik 1.15+ Credit: This issue was independently reported by Adam Rauch References: http://xmlgraphics.apache.org/security.html https://issues.apache.org/jira/browse/BATIK-1333 The Apache XML Graphics team. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================