[SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags

[Jeremy Boynes <jboynes () apache org>]

CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.

Description:
When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize 
external entity references to access resources on the host system or utilize XSLT extensions that may allow remote 
execution.

Mitigation:
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.

This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in 
use, additional configuration may be required:
Java8: External entity access is automatically disabled if a SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access. See 
http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify 
the protocols that can be used to access external entities. This defaults to “all” if no SecurityManager is present and 
to “” (thereby disabling access) if a SecurityManager is detected.

Credit:
David Jorm of IIX

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail