Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1198606 (CVE-2015-0254) - CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
Summary: CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0254
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Ondřej Lysoněk
URL:
Whiteboard:
Depends On: 1198607 1241794 1241795 1241796 1241797 1241798 1241799 1241800 1241803 1241804 1241805 1304994 1323354
Blocks: 1197807 1312318 1320747 1340536
TreeView+ depends on / blocked
 
Reported: 2015-03-04 13:47 UTC by Martin Prpič
Modified: 2021-02-17 05:34 UTC (History)
59 users (show)

See Also:
Fixed In Version: jakarta-taglibs-standard 1.2.3
Doc Type: Bug Fix
Doc Text:
It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:39:27 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1695 0 normal SHIPPED_LIVE Important: jakarta-taglibs-standard security update 2015-08-31 13:04:49 UTC
Red Hat Product Errata RHSA-2016:0121 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 5 2016-02-05 02:42:41 UTC
Red Hat Product Errata RHSA-2016:0122 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 6 2016-02-05 02:36:01 UTC
Red Hat Product Errata RHSA-2016:0123 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 7 2016-02-05 02:32:59 UTC
Red Hat Product Errata RHSA-2016:0124 0 normal SHIPPED_LIVE Important: jboss-ec2-eap security and enhancement update for EAP 6.4.6 2016-02-05 02:18:29 UTC
Red Hat Product Errata RHSA-2016:0125 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update 2016-02-05 02:18:23 UTC
Red Hat Product Errata RHSA-2016:1376 0 normal SHIPPED_LIVE Critical: Red Hat JBoss SOA Platform security update 2016-07-01 01:06:13 UTC
Red Hat Product Errata RHSA-2016:1838 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.2 on RHEL 6 2016-09-08 22:17:08 UTC
Red Hat Product Errata RHSA-2016:1839 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.2 for RHEL 7 2016-09-08 22:38:52 UTC
Red Hat Product Errata RHSA-2016:1840 0 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security, bug fix, and enhancement update 2016-09-08 22:14:07 UTC
Red Hat Product Errata RHSA-2016:1841 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.2 2016-09-08 22:12:58 UTC

Description Martin Prpič 2015-03-04 13:47:28 UTC
The following flaw was found in Apache Standard Taglibs:

When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.

Upstream announcement:

https://mail-archives.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E

Comment 1 Martin Prpič 2015-03-04 13:48:30 UTC
Created jakarta-taglibs-standard tracking bugs for this issue:

Affects: fedora-all [bug 1198607]

Comment 2 Jason Shepherd 2015-07-09 03:48:26 UTC
Advise from upstream annoucement by David Jorm:

Mitigation:

Users should upgrade to Apache Standard Taglibs 1.2.3 or later.

This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:

Java8:
External entity access is automatically disabled if a SecurityManager is active.

Java7:
JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html

Java6 and earlier:
A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to "all" if no SecurityManager is present and to "" (thereby disabling access) if a SecurityManager is detected.

Comment 3 Jason Shepherd 2015-07-10 06:46:34 UTC
JBoss Web Server 1.0.2 is now End of Life

Comment 6 Jason Shepherd 2015-07-10 07:03:19 UTC
I can see that upstream spacewalk does not utilize XML Java Standard Taglibs. (JSTL). 

While I filed tracking bugs for several versions of Satellite, feel free to close them if the version of Satellite does not use XML JSTL

Comment 7 Mikolaj Izdebski 2015-07-10 08:34:20 UTC
Is there particular upstream commit fixing this flaw? I can't find anything obvious in upstream svn.

Comment 9 Jason Shepherd 2015-07-14 02:57:01 UTC
Mikolaj, I'm not sure of the exact commits. I can probably chase this up if it's required.

This was fixed in Fedora by migrating to the 1.2.3 branch. See https://bugzilla.redhat.com/show_bug.cgi?id=1198607

Comment 10 Mikolaj Izdebski 2015-07-20 12:16:02 UTC
(In reply to Jason Shepherd from comment #9)
> Mikolaj, I'm not sure of the exact commits. I can probably chase this up if
> it's required.

Please do. I'm unable to find the exact fix myself. Could you also provide some reproducer?

Comment 15 Jason Shepherd 2015-07-21 23:27:30 UTC
We won't fix this issue for RHEL 5, or Satellite 5.x. Satellite doesn't use the XML JSTL features, and RHEL 5 is in maintenance phase 3, so it only receives critical security patches.

Comment 24 Jason Shepherd 2015-08-20 22:02:04 UTC
Hi Tim,

See task bug 1197807, Comment #9. JSTL is not included in EWS. It's part of the JEE spec which EWS doesn't implement.

Cheers,
Jason

Comment 29 Jason Shepherd 2015-08-26 07:05:22 UTC
Acknowledgement:
Red Hat would like to thank David Jorm of IIX, and the Apache Software
Foundation for reporting this flaw.

Comment 34 errata-xmlrpc 2015-08-31 09:05:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:1695 https://rhn.redhat.com/errata/RHSA-2015-1695.html

Comment 41 errata-xmlrpc 2016-02-04 21:18:39 UTC
This issue has been addressed in the following products:



Via RHSA-2016:0125 https://rhn.redhat.com/errata/RHSA-2016-0125.html

Comment 42 errata-xmlrpc 2016-02-04 21:19:14 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0124 https://rhn.redhat.com/errata/RHSA-2016-0124.html

Comment 43 errata-xmlrpc 2016-02-04 21:47:34 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0123 https://rhn.redhat.com/errata/RHSA-2016-0123.html

Comment 44 errata-xmlrpc 2016-02-04 21:48:27 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0122 https://rhn.redhat.com/errata/RHSA-2016-0122.html

Comment 45 errata-xmlrpc 2016-02-04 21:50:43 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0121 https://rhn.redhat.com/errata/RHSA-2016-0121.html

Comment 47 Jason Shepherd 2016-03-22 04:21:07 UTC
This also affects Wildfly and EAP 7:

https://issues.jboss.org/browse/JBEAP-3914
https://issues.jboss.org/browse/WFLY-6416

Comment 49 errata-xmlrpc 2016-06-30 21:07:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376

Comment 51 errata-xmlrpc 2016-09-08 18:18:48 UTC
This issue has been addressed in the following products:



Via RHSA-2016:1841 https://rhn.redhat.com/errata/RHSA-2016-1841.html

Comment 52 errata-xmlrpc 2016-09-08 18:20:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1840 https://rhn.redhat.com/errata/RHSA-2016-1840.html

Comment 53 errata-xmlrpc 2016-09-08 18:21:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1838 https://rhn.redhat.com/errata/RHSA-2016-1838.html

Comment 54 errata-xmlrpc 2016-09-08 18:41:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2016:1839 https://rhn.redhat.com/errata/RHSA-2016-1839.html

Comment 55 Jason Shepherd 2017-04-04 23:39:39 UTC
Statement:

Users of EAP 6.x and 7.0 should upgrade to at least 6.4.9 and pass the following system property on startup to prevent XXE attacks in JSTL:
org.apache.taglibs.standard.xml.accessExternalEntity=false

For more details please see refer to this KCS solution:
https://access.redhat.com/solutions/1584363


Note You need to log in before you can comment on or make changes to this bug.