Bug 1080248 (CVE-2014-0107, oCERT-2014-002) - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
Summary: CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0107, oCERT-2014-002
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1081304 1081305 1081306 1081307 1081308 1081309 1081310 1081311 1081312 1081313 1081314 1081315 1081316 1081317 1081318 1081319 1081320 1081321 1081322 1083425 1124701 1130978 1139883
Blocks: 1059445 1080337 1082921 1082938 1085570 1097460 1110978 1113315 1114455 1125720 1127913 1141957 1145284 1159080 1244362
TreeView+ depends on / blocked
 
Reported: 2014-03-25 03:12 UTC by David Jorm
Modified: 2021-02-17 06:44 UTC (History)
4 users (show)

Fixed In Version: xalan-j2 2.7.2
Doc Type: Bug Fix
Doc Text:
It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:32:11 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0348 0 normal SHIPPED_LIVE Important: xalan-j2 security update 2014-04-01 21:49:13 UTC
Red Hat Product Errata RHSA-2014:0453 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.2.2 security update 2014-04-30 22:49:48 UTC
Red Hat Product Errata RHSA-2014:0454 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.2.2 security update 2014-04-30 22:49:31 UTC
Red Hat Product Errata RHSA-2014:0590 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-06-02 18:04:31 UTC
Red Hat Product Errata RHSA-2014:0591 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-06-02 18:04:20 UTC
Red Hat Product Errata RHSA-2014:0818 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.2 update 2014-07-01 00:51:53 UTC
Red Hat Product Errata RHSA-2014:0819 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.2 update 2014-07-01 00:51:46 UTC
Red Hat Product Errata RHSA-2014:1007 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 5.3.1 update 2014-08-05 18:10:28 UTC
Red Hat Product Errata RHSA-2014:1059 0 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 5.2.2 security update 2014-08-14 19:47:56 UTC
Red Hat Product Errata RHSA-2014:1290 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 update 2014-09-24 00:19:55 UTC
Red Hat Product Errata RHSA-2014:1291 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 update 2014-09-24 00:19:49 UTC
Red Hat Product Errata RHSA-2014:1351 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update 2014-10-01 22:10:39 UTC
Red Hat Product Errata RHSA-2014:1369 0 normal SHIPPED_LIVE Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update 2014-10-09 20:07:39 UTC
Red Hat Product Errata RHSA-2014:1995 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2014-12-16 01:35:32 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC
Red Hat Product Errata RHSA-2015:1888 0 normal SHIPPED_LIVE Important: Red Hat JBoss SOA Platform 5.3.1 security update 2015-10-12 19:27:33 UTC

Description David Jorm 2014-03-25 03:12:16 UTC
It was found that the Xalan-Java secure processing feature imposes insufficient constraints:

* Java properties, bound to XSLT 1.0 system-property(), are accessible.

* Output properties that allow to load arbitrary classes or resources are allowed.

* Arbitrary code can be executed if the Bean Scripting Framework (BSF) is in the classpath, as it allows to spawn available JARs with secure processing disabled, effectively bypassing the intended protection.

A remote attacker who is able to provide XSL that will be processed by Xalan-Java could use this flaw to bypass the constraints of the secure processing feature. Depending on the components available on the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.

Comment 5 errata-xmlrpc 2014-04-01 17:51:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:0348 https://rhn.redhat.com/errata/RHSA-2014-0348.html

Comment 6 Fedora Update System 2014-04-05 04:53:34 UTC
xalan-j2-2.7.1-22.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-04-05 04:55:57 UTC
xalan-j2-2.7.1-22.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 errata-xmlrpc 2014-04-30 18:50:34 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.2

Via RHSA-2014:0454 https://rhn.redhat.com/errata/RHSA-2014-0454.html

Comment 9 errata-xmlrpc 2014-04-30 18:50:52 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0453 https://rhn.redhat.com/errata/RHSA-2014-0453.html

Comment 10 errata-xmlrpc 2014-06-02 14:04:39 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 4

Via RHSA-2014:0591 https://rhn.redhat.com/errata/RHSA-2014-0591.html

Comment 11 errata-xmlrpc 2014-06-02 14:05:18 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:0590 https://rhn.redhat.com/errata/RHSA-2014-0590.html

Comment 12 errata-xmlrpc 2014-06-30 20:52:05 UTC
This issue has been addressed in following products:

  JBoss BPM Suite 6.0.2

Via RHSA-2014:0819 https://rhn.redhat.com/errata/RHSA-2014-0819.html

Comment 13 errata-xmlrpc 2014-06-30 20:52:30 UTC
This issue has been addressed in following products:

  JBoss BRMS 6.0.2

Via RHSA-2014:0818 https://rhn.redhat.com/errata/RHSA-2014-0818.html

Comment 15 errata-xmlrpc 2014-08-05 14:10:43 UTC
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html

Comment 16 Martin Prpič 2014-08-07 11:15:47 UTC
IssueDescription:

It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.

Comment 17 errata-xmlrpc 2014-08-14 15:51:36 UTC
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html

Comment 18 errata-xmlrpc 2014-09-23 20:20:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html

Comment 19 errata-xmlrpc 2014-09-23 20:22:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html

Comment 21 errata-xmlrpc 2014-10-01 18:10:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html

Comment 22 errata-xmlrpc 2014-10-09 16:07:59 UTC
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html

Comment 24 errata-xmlrpc 2014-12-15 20:36:39 UTC
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html

Comment 28 errata-xmlrpc 2015-05-14 15:17:02 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Comment 29 errata-xmlrpc 2015-10-12 15:27:56 UTC
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html


Note You need to log in before you can comment on or make changes to this bug.