It was discovered that the JAXP component lacked certain security restrictions. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Public now via Oracle Java SE CPU April 2014: http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html Fixed in Oracle Java SE 7u21 and 6u45.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
OpenJDK7 upstream repositories commit: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jaxp/rev/38d4d23d167c
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2013:0758 https://rhn.redhat.com/errata/RHSA-2013-0758.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0757 https://rhn.redhat.com/errata/RHSA-2013-0757.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0770 https://rhn.redhat.com/errata/RHSA-2013-0770.html
Fixed in IcedTea6 versions 1.11.10 and 1.12.5, and IcedTea7 version 2.3.9: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022890.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022985.html
This is also known as Issue 51 reported by Adam Gowdiak of Security Explorations. More details in his report and PoC: http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf http://www.security-explorations.com/materials/se-2012-01-50-60.zip Brief description form the above PDF: origin: com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl cause: the possibility to define user provided classes in a privileged (no package access in loadClass method) class loader (TransletClassLoader) impact: arbitrary access to restricted classes type: partial security bypass vulnerability
*** Bug 906450 has been marked as a duplicate of this bug. ***