Apache Batik is an open source Java library to render vector graphics. It supports SVG, XCF and PDF. Batik is used to create charts like line graph, pie chart, radar chart and so on. An attacker can exploit this vulnerability if user is running Apache XML Graphics on vulnerable version of Apache Batik. An attacker can leverage this server side request forgery to load other url in the user’s browser. An attacker can host his own malicious url and trick the user to visit that url. This may result in the execution of user’s malicious url. An attacker can leverage script in those malicious url to exploit this issue. It is highly recommended to apply patch as soon as possible on Apache XML Graphics servers.

How to find Apache XML Graphics version?

Apache XML Graphics version can be found in the logs.
1) Run cat /var/log/httpd/error_log|grep -i xml
2) You will get the following output:
[Fri Apr 21 10:24:19 2017] [notice] A temporary error occurred processing your request for https://localhost:8087/xml-schema-1.xsd
This is caused by a browser bug and occurs when the invalid date format is used. The input date string must be correct before Apache XML Graphics responds with a valid response message. This issue has been reported to Mozilla Bugzilla, and we are currently investigating it further.

References:

- CVE-2022-38398 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38398
- Apache Batik security advisory http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00005.html

The importance of digital marketing is that it helps establish an authoritative online presence for your business and make sure your brand awareness is high so potential customers can find you easily. Another key benefit is that it makes it easier to target specific demographics such as African American men between the ages of 23 and 35 only, which allows companies to spend less money on clicks that don't result in sales and have a better conversion rate as a result of spending less money on clicks that do not convert into sales while still getting a good return on investment (ROI).

Vulnerability overview

An attacker can leverage this request forgery vulnerability to execute the user’s malicious url.

Vulnerability Overview

Apache Batik is a Java library used to render vector graphics. It supports SVG, XCF and PDF. An attacker can exploit this vulnerability if user is running Apache XML Graphics on vulnerable version of Apache Batik. An attacker can leverage this server side request forgery to load other url in the user’s browser. This may result in the execution of user’s malicious url.

Vulnerability discovery on Apache XML Graphics

CVE-2022-38398 is a vulnerability discovered on Apache XML Graphics. This vulnerability affects all the versions of Apache Batik from 1.8 to 1.10. This vulnerability allows an attacker to exploit the server side request forgery and load other url into the user’s browser without their consent. An attacker can leverage this issue in order to exploit another server and execute his malicious code on that targeted system.
This issue was announced by Tencent Security Team on 2019/08/11, who found this issue while testing their own product, Tencent QQ, with the same vector library which caused a denial of service (DoS) attack on their website. This issue was confirmed by several other security teams too and reported to Apache Foundation as well.

Timeline

Published on: 09/22/2022 15:15:00 UTC
Last modified on: 09/23/2022 18:55:00 UTC

References