tomcat-taglibs-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Boynes <jboy...@apache.org>
Subject [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
Date Fri, 27 Feb 2015 06:16:33 GMT
CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.

Description:
When an application uses <x:parse> or <x:transform> tags to process untrusted
XML documents, a request may utilize external entity references to access resources on the
host system or utilize XSLT extensions that may allow remote execution.

Mitigation:
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.

This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending
on the Java runtime version in use, additional configuration may be required:
Java8: External entity access is automatically disabled if a SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity
may be used to specify the protocols that can be used to access external entities. This defaults
to “all” if no SecurityManager is present and to “” (thereby disabling access) if
a SecurityManager is detected.

Credit:
David Jorm of IIX

Mime
View raw message