Executive Summary

Summary
Title Xalan-Java: Arbitrary code execution
Informations
Name GLSA-201604-02 First vendor Publication 2016-04-02
Vendor Gentoo Last vendor Modification 2016-04-02
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Insufficient constraints in Apache's Xalan-Java might allow remote attackers to execute arbitrary code and load arbitrary classes.

Background

Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types.

Description

The TransformerFactory in Apache Xalan-Java does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled.
This can also be exploited via a Java property that is bound to the XSLT 1.0 system-property function.

Impact

A remote attacker could inject specially crafted XSLT properties resulting in the execution of arbitrary code with the privileges of the process.

Workaround

There is no known work around at this time.

Resolution

All Xalan-Java users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/xalan-2.7.2"

References

[ 1 ] CVE-2014-0107 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0107

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/201604-02

Original Source

Url : http://security.gentoo.org/glsa/glsa-201604-02.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24206
 
Oval ID: oval:org.mitre.oval:def:24206
Title: DEPRECATED: ELSA-2014:0348: xalan-j2 security update (Important)
Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Family: unix Class: patch
Reference(s): ELSA-2014:0348-00
CVE-2014-0107
Version: 6
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): xalan-j2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24340
 
Oval ID: oval:org.mitre.oval:def:24340
Title: RHSA-2014:0348: xalan-j2 security update (Important)
Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Family: unix Class: patch
Reference(s): RHSA-2014:0348-00
CESA-2014:0348
CVE-2014-0107
Version: 6
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
CentOS Linux 5
CentOS Linux 6
Product(s): xalan-j2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24468
 
Oval ID: oval:org.mitre.oval:def:24468
Title: DSA-2886-1 libxalan2-java - security update
Description: Nicolas Gregoire discovered several vulnerabilities in libxalan2-java, a Java library for XSLT processing. Crafted XSLT programs couldaccess system properties or load arbitrary classes, resulting ininformation disclosure and, potentially, arbitrary code execution.
Family: unix Class: patch
Reference(s): DSA-2886-1
CVE-2014-0107
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): libxalan2-java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24509
 
Oval ID: oval:org.mitre.oval:def:24509
Title: ELSA-2014:0348: xalan-j2 security update (Important)
Description: Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) All xalan-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
Family: unix Class: patch
Reference(s): ELSA-2014:0348-00
CVE-2014-0107
Version: 5
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): xalan-j2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24692
 
Oval ID: oval:org.mitre.oval:def:24692
Title: USN-2218-1 -- libxalan2-java vulnerability
Description: Xalan-Java could be made to load arbitrary classes or access external resources.
Family: unix Class: patch
Reference(s): USN-2218-1
CVE-2014-0107
Version: 3
Platform(s): Ubuntu 13.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): libxalan2-java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26203
 
Oval ID: oval:org.mitre.oval:def:26203
Title: SUSE-SU-2014:0870-1 -- Security update for xalan-j2
Description: xalan-j2 has been updated to ensure that secure processing can't be circumvented.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0870-1
CVE-2014-0107
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): xalan-j2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26786
 
Oval ID: oval:org.mitre.oval:def:26786
Title: DEPRECATED: ELSA-2014-0348 -- xalan-j2 security update (Important)
Description: Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) All xalan-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
Family: unix Class: patch
Reference(s): ELSA-2014-0348
CVE-2014-0107
Version: 4
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): xalan-j2
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 12
Application 2

Snort® IPS/IDS

Date Description
2019-09-24 Xalan-Java secure processing bypass attempt
RuleID : 51184 - Revision : 1 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2016-04-05 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201604-02.nasl - Type : ACT_GATHER_INFO
2016-01-21 Name : The website content management system installed on the remote host is affecte...
File : oracle_webcenter_sites_jan_2016_cpu.nasl - Type : ACT_GATHER_INFO
2014-07-05 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_xalan-j2-140623.nasl - Type : ACT_GATHER_INFO
2014-07-02 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-445.nasl - Type : ACT_GATHER_INFO
2014-06-04 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0591.nasl - Type : ACT_GATHER_INFO
2014-05-22 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2218-1.nasl - Type : ACT_GATHER_INFO
2014-05-01 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0453.nasl - Type : ACT_GATHER_INFO
2014-04-23 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-325.nasl - Type : ACT_GATHER_INFO
2014-04-07 Name : The remote Fedora host is missing a security update.
File : fedora_2014-4426.nasl - Type : ACT_GATHER_INFO
2014-04-07 Name : The remote Fedora host is missing a security update.
File : fedora_2014-4443.nasl - Type : ACT_GATHER_INFO
2014-04-03 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0348.nasl - Type : ACT_GATHER_INFO
2014-04-02 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0348.nasl - Type : ACT_GATHER_INFO
2014-04-02 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0348.nasl - Type : ACT_GATHER_INFO
2014-04-02 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140401_xalan_j2_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-03-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2886.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2016-04-06 13:26:47
  • Multiple Updates
2016-04-03 00:23:02
  • First insertion