Bug 1080248 (CVE-2014-0107, oCERT-2014-002)

Summary: CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chazlett, grocha, mjc, pavelp, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20140324,reported=20140324,source=internet,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cwe=CWE-358,rhel-5/xalan-j2=affected,rhel-6/xalan-j2=affected,rhel-7/xalan-j2=notaffected,jbews-1/xalan-j2=affected,jboss/fuse-6.0=affected,jboss/fuse-esb-7.1=affected,jboss/amq-6.0=affected,jboss/fuse-mq-7.1=affected,bpms-6/xalan-j2=affected,brms-6/xalan-j2=affected,eap-5/xalan-j2=affected,eap-6/xalan-j2=affected,brms-5/xalan-j2=affected,epp-5/xalan-j2=affected,soap-5/xalan-j2=affected,fsw-6/xalan-j2=affected,jpp-6/xalan-j2=affected,rhev-m-3/jasperreports-server-pro=notaffected,rhn_satellite_5.4/xalan-j2=wontfix,rhn_satellite_5.5/xalan-j2=wontfix,eap-4/xalan-j2=wontfix,soap-4.3/xalan-j2=wontfix,jdg-6/xalan-j2=notaffected,jdv-6/xalan-j2=notaffected,jon-3/xalan-j2=notaffected
Fixed In Version: xalan-j2 2.7.2 Doc Type: Bug Fix
Doc Text:
It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1081304, 1081305, 1081306, 1081307, 1081308, 1081309, 1081310, 1081311, 1081312, 1081313, 1081314, 1081315, 1081316, 1081317, 1081318, 1081319, 1081320, 1081321, 1081322, 1083425, 1124701, 1130978, 1139883    
Bug Blocks: 1059445, 1080337, 1082921, 1082938, 1085570, 1097460, 1110978, 1113315, 1114455, 1125720, 1127913, 1141957, 1145284, 1159080, 1244362    

Description David Jorm 2014-03-24 23:12:16 EDT
It was found that the Xalan-Java secure processing feature imposes insufficient constraints:

* Java properties, bound to XSLT 1.0 system-property(), are accessible.

* Output properties that allow to load arbitrary classes or resources are allowed.

* Arbitrary code can be executed if the Bean Scripting Framework (BSF) is in the classpath, as it allows to spawn available JARs with secure processing disabled, effectively bypassing the intended protection.

A remote attacker who is able to provide XSL that will be processed by Xalan-Java could use this flaw to bypass the constraints of the secure processing feature. Depending on the components available on the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Comment 5 errata-xmlrpc 2014-04-01 13:51:08 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:0348 https://rhn.redhat.com/errata/RHSA-2014-0348.html
Comment 6 Fedora Update System 2014-04-05 00:53:34 EDT
xalan-j2-2.7.1-22.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-04-05 00:55:57 EDT
xalan-j2-2.7.1-22.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2014-04-30 14:50:34 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.2

Via RHSA-2014:0454 https://rhn.redhat.com/errata/RHSA-2014-0454.html
Comment 9 errata-xmlrpc 2014-04-30 14:50:52 EDT
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0453 https://rhn.redhat.com/errata/RHSA-2014-0453.html
Comment 10 errata-xmlrpc 2014-06-02 10:04:39 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 4

Via RHSA-2014:0591 https://rhn.redhat.com/errata/RHSA-2014-0591.html
Comment 11 errata-xmlrpc 2014-06-02 10:05:18 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:0590 https://rhn.redhat.com/errata/RHSA-2014-0590.html
Comment 12 errata-xmlrpc 2014-06-30 16:52:05 EDT
This issue has been addressed in following products:

  JBoss BPM Suite 6.0.2

Via RHSA-2014:0819 https://rhn.redhat.com/errata/RHSA-2014-0819.html
Comment 13 errata-xmlrpc 2014-06-30 16:52:30 EDT
This issue has been addressed in following products:

  JBoss BRMS 6.0.2

Via RHSA-2014:0818 https://rhn.redhat.com/errata/RHSA-2014-0818.html
Comment 15 errata-xmlrpc 2014-08-05 10:10:43 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html
Comment 16 Martin Prpic 2014-08-07 07:15:47 EDT
IssueDescription:

It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Comment 17 errata-xmlrpc 2014-08-14 11:51:36 EDT
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html
Comment 18 errata-xmlrpc 2014-09-23 16:20:46 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
Comment 19 errata-xmlrpc 2014-09-23 16:22:04 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
Comment 21 errata-xmlrpc 2014-10-01 14:10:50 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
Comment 22 errata-xmlrpc 2014-10-09 12:07:59 EDT
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html
Comment 24 errata-xmlrpc 2014-12-15 15:36:39 EST
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html
Comment 28 errata-xmlrpc 2015-05-14 11:17:02 EDT
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 29 errata-xmlrpc 2015-10-12 11:27:56 EDT
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html