Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 505602 (CVE-2014-0107)

Summary: <dev-java/xalan-2.7.2: insufficient constraints in secure processing feature (CVE-2014-0107) (oCERT-2014-002)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1080248
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-03-25 09:28:21 UTC
From ${URL} :

It was found that the Xalan-Java secure processing feature imposes insufficient constraints:

* Java properties, bound to XSLT 1.0 system-property(), are accessible.

* Output properties that allow to load arbitrary classes or resources are allowed.

* Arbitrary code can be executed if the Bean Scripting Framework (BSF) is in the classpath, as it allows 
to spawn available JARs with secure processing disabled, effectively bypassing the intended protection.

A remote attacker who is able to provide XSL that will be processed by Xalan-Java could use this flaw to 
bypass the constraints of the secure processing feature. Depending on the components available on the 
classpath, this could lead to arbitrary remote code execution in the context of the application server 
running the application that uses Xalan-Java.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-10-11 14:10:26 UTC
CVE-2014-0107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0107):
  The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly
  restrict access to certain properties when FEATURE_SECURE_PROCESSING is
  enabled, which allows remote attackers to bypass expected restrictions and
  load arbitrary classes or access external resources via a crafted (1)
  xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4)
  xslt:entities property, or a Java property that is bound to the XSLT 1.0
  system-property function.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 03:19:51 UTC
Note as per upstream this has been Fixed in 2.7.2

Also has been pushed to:
https://svn.apache.org/repos/asf/xalan/java/branches/xalan-j_2_7_1_maint

Maintainer(s): after the bump please let us know when the ebuild is ready for  stabilization.
Comment 4 James Le Cuirot gentoo-dev 2015-06-30 11:05:24 UTC
dev-java/xalan-serializer and dev-java/xalan now bumped. Removal may have to wait till I drop ia64. This is next on my list but I'm about to leave for a week.
Comment 5 James Le Cuirot gentoo-dev 2015-07-30 22:37:54 UTC
I have marked these stable according to ALLARCHES policy and dropped the old versions. Security team, please proceed.
Comment 6 Patrice Clement gentoo-dev 2015-08-14 18:29:11 UTC
ping @security. Please proceed and close this bug if there's no outstanding item left.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-04 12:38:58 UTC
GLSA Assigned: 322528253
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-04-02 20:33:58 UTC
This issue was resolved and addressed in
 GLSA 201604-02 at https://security.gentoo.org/glsa/201604-02
by GLSA coordinator Yury German (BlueKnight).