CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.
Description:
When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
Mitigation:
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.
This version uses JAXPâ??s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:
Java8: External entity access is automatically disabled if a SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to â??allâ? if no SecurityManager is present and to â??â? (thereby disabling access) if a SecurityManager is detected.
Credit:
David Jorm of IIX
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.
Description:
When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
Mitigation:
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.
This version uses JAXPâ??s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:
Java8: External entity access is automatically disabled if a SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to â??allâ? if no SecurityManager is present and to â??â? (thereby disabling access) if a SecurityManager is detected.
Credit:
David Jorm of IIX
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJU8AvBAAoJEKVK0I6noCM8P0wIAMz5sZkpzoe7r7ryIdZ+XRLp
eq7gBjT6yMwbE5yQ4rGUioMPpY4deA8rK+z68ci4anVCdbEcZJFRKAEX2EQV7KUk
Y8O0TRbdCXHEVvgSQpOJyrVkAS1gxbUs/0dho9zlIM7Vyn9b712nxrmYTRt+nKeE
A/2+Xc+2Wa3SZObcaww5g4J3p6SnCACs77ZQLvq6L6FIMlg2Cry9qHofD72ouMhu
jTf40QLxe0PRYxHUZV9HSJmr56p/gTM7k/GKielgwRpp0HJnq2OyDB7CG0Xmk4kV
EFx1C6XcEnm9OFtG2A9RdFOcSSPYex/vrTWehFKtV6B4ptq1EyUlwrzA+GL2mJk=
=79ZY
-----END PGP SIGNATURE-----
[ reply ]