Bug 1080248 - (CVE-2014-0107, oCERT-2014-002) CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140324,repo...
: Security
Depends On: 1081304 1081305 1081306 1081307 1081308 1081309 1081310 1081311 1081312 1081313 1081314 1081315 1081316 1081317 1081318 1081319 1081320 1081321 1081322 1083425 1124701 1130978 1139883
Blocks: 1059445 1080337 1082921 1082938 1085570 1097460 1110978 1113315 1114455 1125720 1127913 1141957 1145284 1159080 1244362
  Show dependency treegraph
 
Reported: 2014-03-24 23:12 EDT by David Jorm
Modified: 2015-11-25 05:02 EST (History)
5 users (show)

See Also:
Fixed In Version: xalan-j2 2.7.2
Doc Type: Bug Fix
Doc Text:
It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Jorm 2014-03-24 23:12:16 EDT
It was found that the Xalan-Java secure processing feature imposes insufficient constraints:

* Java properties, bound to XSLT 1.0 system-property(), are accessible.

* Output properties that allow to load arbitrary classes or resources are allowed.

* Arbitrary code can be executed if the Bean Scripting Framework (BSF) is in the classpath, as it allows to spawn available JARs with secure processing disabled, effectively bypassing the intended protection.

A remote attacker who is able to provide XSL that will be processed by Xalan-Java could use this flaw to bypass the constraints of the secure processing feature. Depending on the components available on the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Comment 5 errata-xmlrpc 2014-04-01 13:51:08 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:0348 https://rhn.redhat.com/errata/RHSA-2014-0348.html
Comment 6 Fedora Update System 2014-04-05 00:53:34 EDT
xalan-j2-2.7.1-22.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-04-05 00:55:57 EDT
xalan-j2-2.7.1-22.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2014-04-30 14:50:34 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.2

Via RHSA-2014:0454 https://rhn.redhat.com/errata/RHSA-2014-0454.html
Comment 9 errata-xmlrpc 2014-04-30 14:50:52 EDT
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0453 https://rhn.redhat.com/errata/RHSA-2014-0453.html
Comment 10 errata-xmlrpc 2014-06-02 10:04:39 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 4

Via RHSA-2014:0591 https://rhn.redhat.com/errata/RHSA-2014-0591.html
Comment 11 errata-xmlrpc 2014-06-02 10:05:18 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:0590 https://rhn.redhat.com/errata/RHSA-2014-0590.html
Comment 12 errata-xmlrpc 2014-06-30 16:52:05 EDT
This issue has been addressed in following products:

  JBoss BPM Suite 6.0.2

Via RHSA-2014:0819 https://rhn.redhat.com/errata/RHSA-2014-0819.html
Comment 13 errata-xmlrpc 2014-06-30 16:52:30 EDT
This issue has been addressed in following products:

  JBoss BRMS 6.0.2

Via RHSA-2014:0818 https://rhn.redhat.com/errata/RHSA-2014-0818.html
Comment 15 errata-xmlrpc 2014-08-05 10:10:43 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html
Comment 16 Martin Prpic 2014-08-07 07:15:47 EDT
IssueDescription:

It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Comment 17 errata-xmlrpc 2014-08-14 11:51:36 EDT
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html
Comment 18 errata-xmlrpc 2014-09-23 16:20:46 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
Comment 19 errata-xmlrpc 2014-09-23 16:22:04 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
Comment 21 errata-xmlrpc 2014-10-01 14:10:50 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
Comment 22 errata-xmlrpc 2014-10-09 12:07:59 EDT
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html
Comment 24 errata-xmlrpc 2014-12-15 15:36:39 EST
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html
Comment 28 errata-xmlrpc 2015-05-14 11:17:02 EDT
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 29 errata-xmlrpc 2015-10-12 11:27:56 EDT
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html

Note You need to log in before you can comment on or make changes to this bug.