The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability bulletin CVE-2014-0107

Xalan-Java: vulnerabilities of FEATURE_SECURE_PROCESSING

Synthesis of the vulnerability

An attacker can use several vulnerabilities of the FEATURE_SECURE_PROCESSING implementation in Xalan-Java.
Vulnerable systems: Xalan-Java, Debian, Fedora, SiteScope, Mule ESB, openSUSE, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this threat: 2/4.
Consequences of an attack: user access/rights, data reading.
Pirate's origin: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 25/03/2014.
Références of this weakness: c05324755, CERTFR-2014-AVI-252, CERTFR-2014-AVI-365, CVE-2014-0107, DSA-2886-1, FEDORA-2014-4426, FEDORA-2014-4443, HPSBGN03669, oCERT-2014-002, openSUSE-SU-2014:0861-1, openSUSE-SU-2014:0948-1, RHSA-2014:0348-01, RHSA-2014:0453-01, RHSA-2014:0454-01, RHSA-2014:0590-01, RHSA-2014:0591-01, RHSA-2014:0818-01, RHSA-2014:0819-01, RHSA-2014:1007-01, RHSA-2014:1059-01, RHSA-2014:1290-01, RHSA-2014:1291-01, RHSA-2014:1351-01, RHSA-2014:1369-01, RHSA-2014:1995-01, RHSA-2015:1009, SUSE-SU-2014:0870-1, USN-2218-1, VIGILANCE-VUL-14468, XALANJ-2435.

Description of the vulnerability

The FEATURE_SECURE_PROCESSING (http://javax.xml.XMLConstants/feature/secure-processing) constant requires Xalan-Java to analyze XML files in a secure way, in order for example to block denial of service attacks. However, it is impacted by three vulnerabilities.

An attacker can access to XSLT 1.0 system-property(), in order to obtain sensitive information. [severity:2/4]

The xalan:content-handler and xalan:entities properties can be used to load a class or an external resource. [severity:2/4; XALANJ-2435]

If BSF (Bean Scripting Framework) is in the classpath, an attacker can open a JAR, in order to execute code. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities announce. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.