Bug 870082 (CVE-2014-0107) - VUL-0: CVE-2014-0107: xalan-j2: [oCERT-2014-002] Xalan-Java insufficient secure processing
Summary: VUL-0: CVE-2014-0107: xalan-j2: [oCERT-2014-002] Xalan-Java insufficient secu...
Status: RESOLVED FIXED
Alias: CVE-2014-0107
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-06-30
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/97292/
Whiteboard: maint:released:sle11-sp3:58000 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-25 08:19 UTC by Marcus Meissner
Modified: 2014-07-30 18:46 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-25 08:19:34 UTC 
via oss-sec, ocert

#2014-002 Xalan-Java insufficient secure processing

Description:

The Xalan-Java library is a popular XSLT processor from the Apache Software
Foundation.

The library implements the Java API for XML Processing (JAXP) which supports a
secure processing feature for interpretive and XSLCT processors. The intent of
this feature is to limit XSLT/XML processing behaviours to "make the XSLT
processor behave in a secure fashion".

It has been discovered that the secure processing features suffers from several
limitations that undermine its purpose. The enabling of the secure processing
feature in fact still allows the following processing to take place:

  * Java properties, bound to XSLT 1.0 system-property(), are accessible.
  * output properties that allow to load arbitrary classes or resources
    are allowed (XALANJ-2435).
  * arbitrary code can be executed if the Bean Scripting Framework (BSF)
    is in the classpath, as it allows to spawn available JARs with secure
    processing disabled, effectively bypassing the intended protection.

Affected version:

Xalan-Java >= 2.7.0

Fixed version:

Xalan-Java >= r1581058 (see references)

Credit: vulnerability report received from Nicolas Gregoire
        <nicolas.gregoire AT agarri.fr>.

CVE: CVE-2014-0107

Timeline:
2014-02-05: vulnerability report received
2014-02-05: reporter provides disclosure date set to 2014-03-21
2014-02-06: contacted Apache Security Team
2014-03-17: maintainer provides patch for review
2014-03-17: reporter confirms patch
2014-03-21: assigned CVE
2014-03-24: maintainer commits patch
2014-03-24: advisory release

References:
http://xml.apache.org/xalan-j
https://issues.apache.org/jira/browse/XALANJ-2435
http://svn.apache.org/viewvc?view=revision&revision=1581058

Permalink:
http://www.ocert.org/advisories/ocert-2014-002.html



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1080248
http://comments.gmane.org/gmane.comp.security.oss.general/12434
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0107
http://www.ocert.org/advisories/ocert-2014-002.html
Comment 1 Swamp Workflow Management 2014-03-25 23:00:12 UTC 
bugbot adjusting priority
Comment 3 Thomas Biege 2014-06-22 10:30:44 UTC 
Tom, can you one of your guys look at this please. Thanks.
Comment 4 Bernhard Wiedemann 2014-06-23 08:00:23 UTC 
This is an autogenerated message for OBS integration:
This bug (870082) was mentioned in
https://build.opensuse.org/request/show/238326 Factory / xalan-j2
Comment 5 Tomáš Chvátal 2014-06-23 08:30:54 UTC 
Submitted to:

openSUSE: 12.3 13.1 Factory
SLE: 12 11

SLE10: not affected from what I understand, let me know if it is needed too tho.
Comment 6 SMASH SMASH 2014-06-23 08:55:16 UTC 
Affected packages:

SLE-11-SP3: xalan-j2
Comment 7 Swamp Workflow Management 2014-06-23 08:58:13 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-06-30.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57996
Comment 9 Bernhard Wiedemann 2014-06-23 09:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (870082) was mentioned in
https://build.opensuse.org/request/show/238329 13.1+12.3 / xalan-j2
Comment 10 Swamp Workflow Management 2014-07-01 10:15:30 UTC 
openSUSE-SU-2014:0861-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 870082
CVE References: CVE-2014-0107
Sources used:
openSUSE 13.1 (src):    xalan-j2-2.7.0-262.4.1
openSUSE 12.3 (src):    xalan-j2-2.7.0-259.4.1
Comment 11 Swamp Workflow Management 2014-07-04 15:50:32 UTC 
Update released for: xalan-j2, xalan-j2-demo, xalan-j2-javadoc, xalan-j2-manual, xalan-j2-xsltc
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 12 Swamp Workflow Management 2014-07-04 18:04:23 UTC 
Update released for: xalan-j2, xalan-j2-demo, xalan-j2-javadoc, xalan-j2-manual, xalan-j2-xsltc
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 13 Swamp Workflow Management 2014-07-04 19:04:25 UTC 
SUSE-SU-2014:0870-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 870082
CVE References: CVE-2014-0107
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xalan-j2-2.7.0-217.26.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    xalan-j2-2.7.0-217.26.1
SUSE Linux Enterprise Server 11 SP3 (src):    xalan-j2-2.7.0-217.26.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xalan-j2-2.7.0-217.26.1
Comment 14 Victor Pereira 2014-07-15 09:25:22 UTC 
fixed
Comment 15 Swamp Workflow Management 2014-07-30 18:46:56 UTC 
openSUSE-SU-2014:0948-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 870082
CVE References: CVE-2014-0107
Sources used:
openSUSE 11.4 (src):    xalan-j2-2.7.0-253.1