Описание
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution.
Отчет
Users of EAP 6.x and 7.0 should upgrade to at least 6.4.9 and pass the following system property on startup to prevent XXE attacks in JSTL: org.apache.taglibs.standard.xml.accessExternalEntity=false For more details please see refer to this KCS solution: https://access.redhat.com/solutions/1584363
Меры по смягчению последствий
Users should upgrade to Apache Standard Taglibs 1.2.3 or later. This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required: Java8: External entity access is automatically disabled if a SecurityManager is active. Java7: JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to "all" if no SecurityManager is present and to "" (thereby disabling access) if a SecurityManager is detected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | jakarta-taglibs-standard | Affected | ||
| Red Hat Enterprise Linux 7 | jetty | Affected | ||
| Red Hat JBoss BRMS 5 | web | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 5 | web | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | eap7 | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | tomcat6 | Not affected | ||
| Red Hat JBoss Enterprise Web Server 3 | tomcat7 | Not affected | ||
| Red Hat JBoss Operations Network 3 | jbossas | Will not fix | ||
| Red Hat Satellite 5.4 | jakarta-taglibs-standard | Not affected | ||
| Red Hat Satellite 5.5 | jakarta-taglibs-standard | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.6 High
CVSS3
6.8 Medium
CVSS2
Связанные уязвимости
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
Apache Standard Taglibs before 1.2.3 allows remote attackers to execut ...
EPSS
7.6 High
CVSS3
6.8 Medium
CVSS2