Bug 1937440 (CVE-2020-13936) - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
Summary: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to mo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13936
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1937743 1937441 1937442 1937591 1937999 1938000 1938001 1938002
Blocks: 1937449
TreeView+ depends on / blocked
 
Reported: 2021-03-10 16:38 UTC by Guilherme de Almeida Suckevicz
Modified: 2025-02-24 00:08 UTC (History)
92 users (show)

Fixed In Version: velocity 2.3
Clone Of:
Environment:
Last Closed: 2021-05-19 20:57:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2755 0 None None None 2021-07-15 15:26:06 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:23:56 UTC
Red Hat Product Errata RHSA-2021:3656 0 None None None 2021-09-23 16:15:28 UTC
Red Hat Product Errata RHSA-2021:3658 0 None None None 2021-09-23 16:23:31 UTC
Red Hat Product Errata RHSA-2021:3660 0 None None None 2021-09-23 16:29:23 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:59 UTC
Red Hat Product Errata RHSA-2021:4918 0 None None None 2021-12-02 16:17:54 UTC
Red Hat Product Errata RHSA-2025:1746 0 None None None 2025-02-24 00:06:47 UTC
Red Hat Product Errata RHSA-2025:1747 0 None None None 2025-02-24 00:08:39 UTC

Description Guilherme de Almeida Suckevicz 2021-03-10 16:38:50 UTC 
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

References:
https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/03/10/1
Comment 1 Guilherme de Almeida Suckevicz 2021-03-10 16:39:26 UTC 
Created eclipse tracking bugs for this issue:

Affects: fedora-all [bug 1937442]


Created velocity tracking bugs for this issue:

Affects: fedora-all [bug 1937441]
Comment 6 Mark Cooper 2021-03-11 02:59:45 UTC 
Thanks to @jpadman for helping, looks like there's a range of commits from July/August which we believe to be the fixes:
- https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485
- https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d706d3075876dde4
- https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35dcef7de3aae3e
Comment 24 Todd Cullum 2021-03-16 22:35:57 UTC 
Statement:

OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.

* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.

* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.

* Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.
Comment 25 Jonathan Christison 2021-03-19 18:42:03 UTC 
Marking Red Hat JBoss A-MQ 6 as having a low impact, although the vulnerable artifact(s) are distributed with the product they are not used

 This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 27 Jonathan Christison 2021-03-22 16:10:33 UTC 
Marking Red Hat JBoss Fuse 6 and Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact, this is because components using the affected versions of velocity, namely camel-velocity does not allow, by default, use of templates derived from unprivileged mutable/dynamic sources ie. It does not allow generation or modification of templates from a source an attacker may control perquisite of this attack.

Customers using camel velocity with `allowTemplateFromHeader` or `allowContextMapAll` set to true are strongly advised to either disable the dynamic template functionality or ensure the templates are from a source that is not derived from unprivileged user input.
Comment 30 errata-xmlrpc 2021-05-19 15:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:2051 https://access.redhat.com/errata/RHSA-2021:2051
Comment 31 errata-xmlrpc 2021-05-19 15:23:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:2047 https://access.redhat.com/errata/RHSA-2021:2047
Comment 32 errata-xmlrpc 2021-05-19 15:27:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:2046 https://access.redhat.com/errata/RHSA-2021:2046
Comment 33 errata-xmlrpc 2021-05-19 15:32:27 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:2048 https://access.redhat.com/errata/RHSA-2021:2048
Comment 34 Product Security DevOps Team 2021-05-19 20:57:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13936
Comment 35 errata-xmlrpc 2021-06-02 14:23:54 UTC 
This issue has been addressed in the following products:

  Red Hat EAP-XP via EAP 7.3.x base

Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210
Comment 37 errata-xmlrpc 2021-07-15 15:26:04 UTC 
This issue has been addressed in the following products:

  Red Hat EAP-XP 2.0.0 via EAP 7.3.x base

Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755
Comment 38 errata-xmlrpc 2021-08-11 18:23:50 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
Comment 39 errata-xmlrpc 2021-09-23 16:15:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656
Comment 40 errata-xmlrpc 2021-09-23 16:23:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658
Comment 41 errata-xmlrpc 2021-09-23 16:29:20 UTC 
This issue has been addressed in the following products:

  EAP 7.4.1 release

Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660
Comment 42 errata-xmlrpc 2021-11-23 10:34:54 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 43 errata-xmlrpc 2021-12-02 16:17:49 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
Comment 44 errata-xmlrpc 2025-02-24 00:06:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2025:1746 https://access.redhat.com/errata/RHSA-2025:1746
Comment 45 errata-xmlrpc 2025-02-24 00:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2025:1747 https://access.redhat.com/errata/RHSA-2025:1747
Note You need to log in before you can comment on or make changes to this bug.