Executive Summary
Summary | |
---|---|
Title | xalan-j2 security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:0348 | First vendor Publication | 2014-04-01 |
Vendor | RedHat | Last vendor Modification | 2014-04-01 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated xalan-j2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) All xalan-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-0348.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24206 | |||
Oval ID: | oval:org.mitre.oval:def:24206 | ||
Title: | DEPRECATED: ELSA-2014:0348: xalan-j2 security update (Important) | ||
Description: | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0348-00 CVE-2014-0107 | Version: | 6 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24340 | |||
Oval ID: | oval:org.mitre.oval:def:24340 | ||
Title: | RHSA-2014:0348: xalan-j2 security update (Important) | ||
Description: | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0348-00 CESA-2014:0348 CVE-2014-0107 | Version: | 6 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24468 | |||
Oval ID: | oval:org.mitre.oval:def:24468 | ||
Title: | DSA-2886-1 libxalan2-java - security update | ||
Description: | Nicolas Gregoire discovered several vulnerabilities in libxalan2-java, a Java library for XSLT processing. Crafted XSLT programs couldaccess system properties or load arbitrary classes, resulting ininformation disclosure and, potentially, arbitrary code execution. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2886-1 CVE-2014-0107 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | libxalan2-java |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24509 | |||
Oval ID: | oval:org.mitre.oval:def:24509 | ||
Title: | ELSA-2014:0348: xalan-j2 security update (Important) | ||
Description: | Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) All xalan-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0348-00 CVE-2014-0107 | Version: | 5 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24692 | |||
Oval ID: | oval:org.mitre.oval:def:24692 | ||
Title: | USN-2218-1 -- libxalan2-java vulnerability | ||
Description: | Xalan-Java could be made to load arbitrary classes or access external resources. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2218-1 CVE-2014-0107 | Version: | 3 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | libxalan2-java |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26203 | |||
Oval ID: | oval:org.mitre.oval:def:26203 | ||
Title: | SUSE-SU-2014:0870-1 -- Security update for xalan-j2 | ||
Description: | xalan-j2 has been updated to ensure that secure processing can't be circumvented. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0870-1 CVE-2014-0107 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26786 | |||
Oval ID: | oval:org.mitre.oval:def:26786 | ||
Title: | DEPRECATED: ELSA-2014-0348 -- xalan-j2 security update (Important) | ||
Description: | Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) All xalan-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0348 CVE-2014-0107 | Version: | 4 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2019-09-24 | Xalan-Java secure processing bypass attempt RuleID : 51184 - Revision : 1 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-04-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201604-02.nasl - Type : ACT_GATHER_INFO |
2016-01-21 | Name : The website content management system installed on the remote host is affecte... File : oracle_webcenter_sites_jan_2016_cpu.nasl - Type : ACT_GATHER_INFO |
2014-07-05 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_xalan-j2-140623.nasl - Type : ACT_GATHER_INFO |
2014-07-02 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-445.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0591.nasl - Type : ACT_GATHER_INFO |
2014-05-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2218-1.nasl - Type : ACT_GATHER_INFO |
2014-05-01 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0453.nasl - Type : ACT_GATHER_INFO |
2014-04-23 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-325.nasl - Type : ACT_GATHER_INFO |
2014-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4426.nasl - Type : ACT_GATHER_INFO |
2014-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4443.nasl - Type : ACT_GATHER_INFO |
2014-04-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0348.nasl - Type : ACT_GATHER_INFO |
2014-04-02 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0348.nasl - Type : ACT_GATHER_INFO |
2014-04-02 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0348.nasl - Type : ACT_GATHER_INFO |
2014-04-02 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140401_xalan_j2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-03-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2886.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-01-23 09:25:44 |
|
2014-04-24 13:21:55 |
|
2014-04-16 17:24:06 |
|
2014-04-16 13:27:41 |
|
2014-04-04 13:22:28 |
|
2014-04-03 13:22:39 |
|
2014-04-01 21:20:54 |
|