Bug 1198606 (CVE-2015-0254)

Summary: CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Ondřej Lysoněk <olysonek>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, ahenning, aileenc, alazarot, asantos, bbaranow, bkearney, bmaxwell, brms-jira, cdewolf, chuffman, cperry, csutherl, dandread, darran.lofthouse, dosoudil, etirelli, fnasser, gvarsami, huwang, jason.greene, java-maint, jawilson, jboss-set, jbpapp-maint, jclere, jcoleman, jdoyle, jshepherd, kconner, ldimaggi, lgao, lpetrovi, mbaluch, meissner, miburman, mizdebsk, msrb, mwinkler, myarboro, nwallace, ohudlick, olysonek, osoukup, pgier, psakar, pskopek, pslavice, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, sguilhen, soa-p-jira, spinder, tcunning, theute, thomas, tkirby, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JBEAP-3914
https://issues.redhat.com/browse/JBEAP-5358
Whiteboard:
Fixed In Version: jakarta-taglibs-standard 1.2.3 Doc Type: Bug Fix
Doc Text:
It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:39:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1198607, 1241794, 1241795, 1241796, 1241797, 1241798, 1241799, 1241800, 1241803, 1241804, 1241805, 1304994, 1323354    
Bug Blocks: 1197807, 1312318, 1320747, 1340536, 2014197    

Description Martin Prpič 2015-03-04 13:47:28 UTC 
The following flaw was found in Apache Standard Taglibs:

When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.

Upstream announcement:

https://mail-archives.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
Comment 1 Martin Prpič 2015-03-04 13:48:30 UTC 
Created jakarta-taglibs-standard tracking bugs for this issue:

Affects: fedora-all [bug 1198607]
Comment 2 Jason Shepherd 2015-07-09 03:48:26 UTC 
Advise from upstream annoucement by David Jorm:

Mitigation:

Users should upgrade to Apache Standard Taglibs 1.2.3 or later.

This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:

Java8:
External entity access is automatically disabled if a SecurityManager is active.

Java7:
JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html

Java6 and earlier:
A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to "all" if no SecurityManager is present and to "" (thereby disabling access) if a SecurityManager is detected.
Comment 3 Jason Shepherd 2015-07-10 06:46:34 UTC 
JBoss Web Server 1.0.2 is now End of Life
Comment 6 Jason Shepherd 2015-07-10 07:03:19 UTC 
I can see that upstream spacewalk does not utilize XML Java Standard Taglibs. (JSTL). 

While I filed tracking bugs for several versions of Satellite, feel free to close them if the version of Satellite does not use XML JSTL
Comment 7 Mikolaj Izdebski 2015-07-10 08:34:20 UTC 
Is there particular upstream commit fixing this flaw? I can't find anything obvious in upstream svn.
Comment 9 Jason Shepherd 2015-07-14 02:57:01 UTC 
Mikolaj, I'm not sure of the exact commits. I can probably chase this up if it's required.

This was fixed in Fedora by migrating to the 1.2.3 branch. See https://bugzilla.redhat.com/show_bug.cgi?id=1198607
Comment 10 Mikolaj Izdebski 2015-07-20 12:16:02 UTC 
(In reply to Jason Shepherd from comment #9)
> Mikolaj, I'm not sure of the exact commits. I can probably chase this up if
> it's required.

Please do. I'm unable to find the exact fix myself. Could you also provide some reproducer?
Comment 15 Jason Shepherd 2015-07-21 23:27:30 UTC 
We won't fix this issue for RHEL 5, or Satellite 5.x. Satellite doesn't use the XML JSTL features, and RHEL 5 is in maintenance phase 3, so it only receives critical security patches.
Comment 24 Jason Shepherd 2015-08-20 22:02:04 UTC 
Hi Tim,

See task bug 1197807, Comment #9. JSTL is not included in EWS. It's part of the JEE spec which EWS doesn't implement.

Cheers,
Jason
Comment 34 errata-xmlrpc 2015-08-31 09:05:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:1695 https://rhn.redhat.com/errata/RHSA-2015-1695.html
Comment 41 errata-xmlrpc 2016-02-04 21:18:39 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:0125 https://rhn.redhat.com/errata/RHSA-2016-0125.html
Comment 42 errata-xmlrpc 2016-02-04 21:19:14 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0124 https://rhn.redhat.com/errata/RHSA-2016-0124.html
Comment 43 errata-xmlrpc 2016-02-04 21:47:34 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0123 https://rhn.redhat.com/errata/RHSA-2016-0123.html
Comment 44 errata-xmlrpc 2016-02-04 21:48:27 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0122 https://rhn.redhat.com/errata/RHSA-2016-0122.html
Comment 45 errata-xmlrpc 2016-02-04 21:50:43 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0121 https://rhn.redhat.com/errata/RHSA-2016-0121.html
Comment 47 Jason Shepherd 2016-03-22 04:21:07 UTC 
This also affects Wildfly and EAP 7:

https://issues.jboss.org/browse/JBEAP-3914
https://issues.jboss.org/browse/WFLY-6416
Comment 49 errata-xmlrpc 2016-06-30 21:07:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376
Comment 51 errata-xmlrpc 2016-09-08 18:18:48 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:1841 https://rhn.redhat.com/errata/RHSA-2016-1841.html
Comment 52 errata-xmlrpc 2016-09-08 18:20:14 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1840 https://rhn.redhat.com/errata/RHSA-2016-1840.html
Comment 53 errata-xmlrpc 2016-09-08 18:21:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1838 https://rhn.redhat.com/errata/RHSA-2016-1838.html
Comment 54 errata-xmlrpc 2016-09-08 18:41:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2016:1839 https://rhn.redhat.com/errata/RHSA-2016-1839.html
Comment 55 Jason Shepherd 2017-04-04 23:39:39 UTC 
Statement:

Users of EAP 6.x and 7.0 should upgrade to at least 6.4.9 and pass the following system property on startup to prevent XXE attacks in JSTL:
org.apache.taglibs.standard.xml.accessExternalEntity=false

For more details please see refer to this KCS solution:
https://access.redhat.com/solutions/1584363