[SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags Feb 27 2015 06:16AM
Jeremy Boynes (jboynes apache org)
CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.

Description:
When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.

Mitigation:
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.

This version uses JAXPâ??s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:
Java8: External entity access is automatically disabled if a SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to â??allâ? if no SecurityManager is present and to â??â? (thereby disabling access) if a SecurityManager is detected.

Credit:
David Jorm of IIX
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJU8AvBAAoJEKVK0I6noCM8P0wIAMz5sZkpzoe7r7ryIdZ+XRLp
eq7gBjT6yMwbE5yQ4rGUioMPpY4deA8rK+z68ci4anVCdbEcZJFRKAEX2EQV7KUk
Y8O0TRbdCXHEVvgSQpOJyrVkAS1gxbUs/0dho9zlIM7Vyn9b712nxrmYTRt+nKeE
A/2+Xc+2Wa3SZObcaww5g4J3p6SnCACs77ZQLvq6L6FIMlg2Cry9qHofD72ouMhu
jTf40QLxe0PRYxHUZV9HSJmr56p/gTM7k/GKielgwRpp0HJnq2OyDB7CG0Xmk4kV
EFx1C6XcEnm9OFtG2A9RdFOcSSPYex/vrTWehFKtV6B4ptq1EyUlwrzA+GL2mJk=
=79ZY
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus