Bug 1439980 – CVE-2017-7465 JBoss: JAXP in EAP 7.0 allows RCE via XSL

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1439980 - (CVE-2017-7465) CVE-2017-7465 JBoss: JAXP in EAP 7.0 allows RCE via XSL

Summary:	CVE-2017-7465 JBoss: JAXP in EAP 7.0 allows RCE via XSL

Status:	NEW

Aliases:	CVE-2017-7465

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20170411,repo...
Keywords:	Security

Depends On:
Blocks:	1439976
	Show dependency tree / graph

Reported:	2017-04-06 22:01 EDT by Jason Shepherd
Modified:	2018-01-29 22:15 EST (History)
CC List:	32 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the JAXP implementation used in EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jason Shepherd 2017-04-06 22:01:06 EDT

It was found that the JAXP implementation used in EAP 7.0 has insecure defaults for XSL processing. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT for parsing.

Comment 1 Jason Shepherd 2017-04-06 22:01:18 EDT

Acknowledgments:

Name: Jason Shepherd (Red Hat)

Comment 5 Jason Shepherd 2017-04-11 18:48:15 EDT

Mitigation:

Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability. Eg:

TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);

Note You need to log in before you can comment on or make changes to this bug.

avibelli
bbaranow
belaran-do-not-use
bmaxwell
cdewolf
csutherl
dandread
darran.lofthouse
dosoudil
gsterlin
gzaronik
jawilson
jbalunas
jclere
jshepherd
lgao
mbabacek
myarboro
pgier
psakar
pslavice
psotirop
rnetuka
rpelisse
rrajasek
rsvoboda
security-response-team
tjay
tkirby
twalsh
vtunka
weli