Executive Summary
Summary | |
---|---|
Title | Xalan-Java vulnerability |
Informations | |||
---|---|---|---|
Name | USN-2218-1 | First vendor Publication | 2014-05-21 |
Vendor | Ubuntu | Last vendor Modification | 2014-05-21 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Xalan-Java could be made to load arbitrary classes or access external resources. Software Description: - libxalan2-java: XSL Transformations (XSLT) processor in Java Details: Nicolas Gregoire discovered that Xalan-Java incorrectly handled certain properties when the secure processing feature was enabled. An attacker could possibly use this issue to load arbitrary classes or access external resources. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: Ubuntu 12.04 LTS: Ubuntu 10.04 LTS: After a standard system update you need to reboot your computer to make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-2218-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24206 | |||
Oval ID: | oval:org.mitre.oval:def:24206 | ||
Title: | DEPRECATED: ELSA-2014:0348: xalan-j2 security update (Important) | ||
Description: | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0348-00 CVE-2014-0107 | Version: | 6 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24340 | |||
Oval ID: | oval:org.mitre.oval:def:24340 | ||
Title: | RHSA-2014:0348: xalan-j2 security update (Important) | ||
Description: | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0348-00 CESA-2014:0348 CVE-2014-0107 | Version: | 6 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24468 | |||
Oval ID: | oval:org.mitre.oval:def:24468 | ||
Title: | DSA-2886-1 libxalan2-java - security update | ||
Description: | Nicolas Gregoire discovered several vulnerabilities in libxalan2-java, a Java library for XSLT processing. Crafted XSLT programs couldaccess system properties or load arbitrary classes, resulting ininformation disclosure and, potentially, arbitrary code execution. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2886-1 CVE-2014-0107 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | libxalan2-java |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24509 | |||
Oval ID: | oval:org.mitre.oval:def:24509 | ||
Title: | ELSA-2014:0348: xalan-j2 security update (Important) | ||
Description: | Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) All xalan-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0348-00 CVE-2014-0107 | Version: | 5 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24692 | |||
Oval ID: | oval:org.mitre.oval:def:24692 | ||
Title: | USN-2218-1 -- libxalan2-java vulnerability | ||
Description: | Xalan-Java could be made to load arbitrary classes or access external resources. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2218-1 CVE-2014-0107 | Version: | 3 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | libxalan2-java |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26203 | |||
Oval ID: | oval:org.mitre.oval:def:26203 | ||
Title: | SUSE-SU-2014:0870-1 -- Security update for xalan-j2 | ||
Description: | xalan-j2 has been updated to ensure that secure processing can't be circumvented. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0870-1 CVE-2014-0107 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26786 | |||
Oval ID: | oval:org.mitre.oval:def:26786 | ||
Title: | DEPRECATED: ELSA-2014-0348 -- xalan-j2 security update (Important) | ||
Description: | Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) All xalan-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0348 CVE-2014-0107 | Version: | 4 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | xalan-j2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2019-09-24 | Xalan-Java secure processing bypass attempt RuleID : 51184 - Revision : 1 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-04-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201604-02.nasl - Type : ACT_GATHER_INFO |
2016-01-21 | Name : The website content management system installed on the remote host is affecte... File : oracle_webcenter_sites_jan_2016_cpu.nasl - Type : ACT_GATHER_INFO |
2014-07-05 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_xalan-j2-140623.nasl - Type : ACT_GATHER_INFO |
2014-07-02 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-445.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0591.nasl - Type : ACT_GATHER_INFO |
2014-05-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2218-1.nasl - Type : ACT_GATHER_INFO |
2014-05-01 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0453.nasl - Type : ACT_GATHER_INFO |
2014-04-23 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-325.nasl - Type : ACT_GATHER_INFO |
2014-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4426.nasl - Type : ACT_GATHER_INFO |
2014-04-07 | Name : The remote Fedora host is missing a security update. File : fedora_2014-4443.nasl - Type : ACT_GATHER_INFO |
2014-04-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0348.nasl - Type : ACT_GATHER_INFO |
2014-04-02 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0348.nasl - Type : ACT_GATHER_INFO |
2014-04-02 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0348.nasl - Type : ACT_GATHER_INFO |
2014-04-02 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140401_xalan_j2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-03-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2886.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-01-23 09:25:45 |
|
2014-05-23 13:23:57 |
|
2014-05-22 00:19:59 |
|