Red Hat JBoss Xalan-Java Extensible Stylesheet Language Transformations Content Remote Code Execution Vulnerability

A vulnerability in Red Hat JBoss Enterprise Application Platform could allow an unauthenticated, remote attacker to execute arbitrary code.

The vulnerability is due to insufficient security restrictions imposed by the secure processing feature of the Xalan-Java. An attacker could exploit the vulnerability by providing crafted Extensible Stylesheet Language Transformations (XSLT) content to an affected application that uses the affected feature. If successful, the attacker could execute arbitrary code with application-level privileges.

Red Hat has confirmed the vulnerability and released software updates.

Indicators of Compromise
  • The following Red Hat products are vulnerable:

    • JBoss Enterprise Application Platform 5.2.0
    • JBoss Enterprise Application Platform 5 EL4
    • JBoss Enterprise Application Platform 5 EL5
    • JBoss Enterprise Application Platform 5 EL6
    • Red Hat JBoss BRMS 6.0.1
    • Red Hat JBoss BPM Suite 6.0.1
    • Red Hat JBoss Enterprise Portal Platform 5.2.2
    • Red Hat JBoss BRMS 6.0.2
    • Red Hat JBoss BPM Suite 6.0.3
    • Red Hat JBoss Fuse 6.1.0
    • Red Hat JBoss A-MQ 6.1.0
    • Red Hat JBoss Fuse Service Works 6.0.0
Technical Information
  • The vulnerability exists due to insufficient security restrictions imposed by the secure processing feature of Xalan-Java while handling user-supplied XSL content. The feature should restrict access to Java properties and Output properties. Due to this flaw, the feature allows access to load arbitrary classes or resources and remain accessible to unauthorized classes. Also, the Bean Scripting Framework (BSF) is present in the class path of the feature accessibility and could allow the spawning of available JAR files with secure processing disabled. This could effectively allow bypassing of intended class protections and allow arbitrary code execution in the framework.

    An attacker could exploit the vulnerability by providing malicious XSL content crafted with the xalan:content-headerxalan:entitiesxslt:content-header, or xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function to be processed by an application that uses the affected feature. If successful, the attacker could execute arbitrary code with application-level privileges.

Analysis
  • To exploit the vulnerability the attacker may need access to trusted or internal networks to be able to provide crafted XSL content. This access requirement could limit the likelihood of a successful exploit.




Safeguards
  • Administrators are advised to apply the appropriate updates.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to monitor the affected systems.

Vendor Announcements
Fixed Software

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: