It was found that the Xalan-Java secure processing feature imposes insufficient constraints: * Java properties, bound to XSLT 1.0 system-property(), are accessible. * Output properties that allow to load arbitrary classes or resources are allowed. * Arbitrary code can be executed if the Bean Scripting Framework (BSF) is in the classpath, as it allows to spawn available JARs with secure processing disabled, effectively bypassing the intended protection. A remote attacker who is able to provide XSL that will be processed by Xalan-Java could use this flaw to bypass the constraints of the secure processing feature. Depending on the components available on the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Upstream bug: https://issues.apache.org/jira/browse/XALANJ-2435 Upstream patch commit: http://svn.apache.org/viewvc?view=revision&revision=1581058 External References: http://www.ocert.org/advisories/ocert-2014-002.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:0348 https://rhn.redhat.com/errata/RHSA-2014-0348.html
xalan-j2-2.7.1-22.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
xalan-j2-2.7.1-22.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.2 Via RHSA-2014:0454 https://rhn.redhat.com/errata/RHSA-2014-0454.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 5 JBEAP 6.2 for RHEL 6 Via RHSA-2014:0453 https://rhn.redhat.com/errata/RHSA-2014-0453.html
This issue has been addressed in following products: JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 JBEAP 5 for RHEL 4 Via RHSA-2014:0591 https://rhn.redhat.com/errata/RHSA-2014-0591.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2014:0590 https://rhn.redhat.com/errata/RHSA-2014-0590.html
This issue has been addressed in following products: JBoss BPM Suite 6.0.2 Via RHSA-2014:0819 https://rhn.redhat.com/errata/RHSA-2014-0819.html
This issue has been addressed in following products: JBoss BRMS 6.0.2 Via RHSA-2014:0818 https://rhn.redhat.com/errata/RHSA-2014-0818.html
This issue has been addressed in following products: Red Hat JBoss BRMS 5.3.1 Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html
IssueDescription: It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
This issue has been addressed in the following products: Fuse ESB Enterprise 7.1.0 Fuse MQ Enterprise 7.1.0 Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html
This issue has been addressed in the following products: JBoss Fuse Service Works 6.0.0 Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
This issue has been addressed in the following products: Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html