It was found that the JAXP implementation used in EAP 7.0 has insecure defaults for XSL processing. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT for parsing.
Name: Jason Shepherd (Red Hat)
Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability. Eg:
TransformerFactory factory = TransformerFactory.newInstance();
This issue has been addressed in the following products:
EAP-CD 14 Tech Preview
Via RHSA-2020:2563 https://access.redhat.com/errata/RHSA-2020:2563
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):