lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <82207A16-6348-4DEE-877E-F7B87292576A@apache.org>
Date: Thu, 26 Feb 2015 22:16:33 -0800
From: Jeremy Boynes <jboynes@...che.org>
To: Tag Libraries Users List <taglibs-user@...cat.apache.org>,
  Tomcat Developers List <dev@...cat.apache.org>,
  Tomcat Users List <users@...cat.apache.org>, announce@...cat.apache.org,
  announce@...che.org, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags

CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.

Description:
When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.

Mitigation:
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.

This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:
Java8: External entity access is automatically disabled if a SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to “all” if no SecurityManager is present and to “” (thereby disabling access) if a SecurityManager is detected.

Credit:
David Jorm of IIX

Download attachment "signature.asc" of type "application/pgp-signature" (497 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ