Red Hat JBoss Xalan-Java Extensible Stylesheet Language Transformations Content Remote Code Execution Vulnerability

A vulnerability in Red Hat JBoss Enterprise Application Platform could allow an unauthenticated, remote attacker to execute arbitrary code.

The vulnerability is due to insufficient security restrictions imposed by the secure processing feature of the Xalan-Java. An attacker could exploit the vulnerability by providing crafted Extensible Stylesheet Language Transformations (XSLT) content to an affected application that uses the affected feature. If successful, the attacker could execute arbitrary code with application-level privileges.

Red Hat has confirmed the vulnerability and released software updates.

• The following Red Hat products are vulnerable:

  • JBoss Enterprise Application Platform 5.2.0
  • JBoss Enterprise Application Platform 5 EL4
  • JBoss Enterprise Application Platform 5 EL5
  • JBoss Enterprise Application Platform 5 EL6
  • Red Hat JBoss BRMS 6.0.1
  • Red Hat JBoss BPM Suite 6.0.1
  • Red Hat JBoss Enterprise Portal Platform 5.2.2
  • Red Hat JBoss BRMS 6.0.2
  • Red Hat JBoss BPM Suite 6.0.3
  • Red Hat JBoss Fuse 6.1.0
  • Red Hat JBoss A-MQ 6.1.0
  • Red Hat JBoss Fuse Service Works 6.0.0

• The vulnerability exists due to insufficient security restrictions imposed by the secure processing feature of Xalan-Java while handling user-supplied XSL content. The feature should restrict access to Java properties and Output properties. Due to this flaw, the feature allows access to load arbitrary classes or resources and remain accessible to unauthorized classes. Also, the Bean Scripting Framework (BSF) is present in the class path of the feature accessibility and could allow the spawning of available JAR files with secure processing disabled. This could effectively allow bypassing of intended class protections and allow arbitrary code execution in the framework.

  An attacker could exploit the vulnerability by providing malicious XSL content crafted with the xalan:content-header, xalan:entities, xslt:content-header, or xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function to be processed by an application that uses the affected feature. If successful, the attacker could execute arbitrary code with application-level privileges.

• To exploit the vulnerability the attacker may need access to trusted or internal networks to be able to provide crafted XSL content. This access requirement could limit the likelihood of a successful exploit.

• Administrators are advised to apply the appropriate updates.

  Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

  Administrators are advised to monitor the affected systems.

• Red Hat has released an official CVE statement and a security advisories for bug 1080248 at the following links: CVE-2014-0107, RHSA-2014:0590, RHSA-2014:059, RHSA-2014:0818, RHSA-2014:0819, RHSA-2014-1007, RHSA-2014:1059, RHSA-2014:1290, RHSA-2014:1291, RHSA-2014-1351, RHSA-2014-1369, RHSA-2014-1995 , RHSA-2015:1888, and RHSA-2014-0348

  Apache has released a security advisory at the following link: CVE-2014-0107

  HPE has released a security bulletin at the following link: HPSBGN03669

  IBM has released security advisories at the following links: swg21681933, swg21680703,swg21677145, swg21676093, and swg21674334

  Oracle has released security advisories, which includes a list of affected products and product versions, at the following links: Oracle Critical Patch Update Advisory – January 2016 and Oracle Critical Patch Update Advisory – October 2017

  Juniper has released a security bulletin at the following link: JSA10643

• Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later by using the yum tool.

  Apache has released software updates at the following link: Apache XalanJ2 2.7.2

  HPE has released software updates as described in the “Resolution” section of the vendor’s security bulletin. Customers may contact HPE Technical Support for any assistance in obtaining the software updates.

  IBM has released updated software at the following links:

  • IBM Sterling Control Center 5.2.12
  • IBM Sterling B2B Integrator 5.1 update
  • IBM Sterling File Gateway 2.1 update
  • IBM QRadar SIEM 7.1MR2 Patch7
  • IBM QRadar SIEM 7.2MR2 Patch3
  • IBM Cognos Incentive Compensation Management Patches
  • IBM FileNet Business Process Framework Update

  Oracle has released patches at the following link: Oracle Downloads

  Juniper customers are advised to obtain the software upgrades mentioned in the vendor advisory.
  
  
  
  

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.