Red Hat Bugzilla – Bug 1198606
CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
Last modified: 2018-10-19 17:36:39 EDT
The following flaw was found in Apache Standard Taglibs: When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution. Upstream announcement: https://mail-archives.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
Created jakarta-taglibs-standard tracking bugs for this issue: Affects: fedora-all [bug 1198607]
Advise from upstream annoucement by David Jorm: Mitigation: Users should upgrade to Apache Standard Taglibs 1.2.3 or later. This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required: Java8: External entity access is automatically disabled if a SecurityManager is active. Java7: JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to "all" if no SecurityManager is present and to "" (thereby disabling access) if a SecurityManager is detected.
JBoss Web Server 1.0.2 is now End of Life
I can see that upstream spacewalk does not utilize XML Java Standard Taglibs. (JSTL). While I filed tracking bugs for several versions of Satellite, feel free to close them if the version of Satellite does not use XML JSTL
Is there particular upstream commit fixing this flaw? I can't find anything obvious in upstream svn.
Mikolaj, I'm not sure of the exact commits. I can probably chase this up if it's required. This was fixed in Fedora by migrating to the 1.2.3 branch. See https://bugzilla.redhat.com/show_bug.cgi?id=1198607
(In reply to Jason Shepherd from comment #9) > Mikolaj, I'm not sure of the exact commits. I can probably chase this up if > it's required. Please do. I'm unable to find the exact fix myself. Could you also provide some reproducer?
We won't fix this issue for RHEL 5, or Satellite 5.x. Satellite doesn't use the XML JSTL features, and RHEL 5 is in maintenance phase 3, so it only receives critical security patches.
Hi Tim, See task bug 1197807, Comment #9. JSTL is not included in EWS. It's part of the JEE spec which EWS doesn't implement. Cheers, Jason
Acknowledgement: Red Hat would like to thank David Jorm of IIX, and the Apache Software Foundation for reporting this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:1695 https://rhn.redhat.com/errata/RHSA-2015-1695.html
This issue has been addressed in the following products: Via RHSA-2016:0125 https://rhn.redhat.com/errata/RHSA-2016-0125.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:0124 https://rhn.redhat.com/errata/RHSA-2016-0124.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2016:0123 https://rhn.redhat.com/errata/RHSA-2016-0123.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:0122 https://rhn.redhat.com/errata/RHSA-2016-0122.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2016:0121 https://rhn.redhat.com/errata/RHSA-2016-0121.html
This also affects Wildfly and EAP 7: https://issues.jboss.org/browse/JBEAP-3914 https://issues.jboss.org/browse/WFLY-6416
This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376
This issue has been addressed in the following products: Via RHSA-2016:1841 https://rhn.redhat.com/errata/RHSA-2016-1841.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2016:1840 https://rhn.redhat.com/errata/RHSA-2016-1840.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2016:1838 https://rhn.redhat.com/errata/RHSA-2016-1838.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2016:1839 https://rhn.redhat.com/errata/RHSA-2016-1839.html
Statement: Users of EAP 6.x and 7.0 should upgrade to at least 6.4.9 and pass the following system property on startup to prevent XXE attacks in JSTL: org.apache.taglibs.standard.xml.accessExternalEntity=false For more details please see refer to this KCS solution: https://access.redhat.com/solutions/1584363