CVE-2015-0254 - Java Standard Tag Library (JSTL) allows processing of untrusted XML documents

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 7.x
  • Red Hat JBoss Enterprise Application Platform (EAP) 6.x
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Java 1.5 and later
  • jakarta-taglibs-standard library being used to process XML from untrusted sources.

Issue

  • CVE-2015-0254 - Java Standard Tag Library (JSTL) allows processing of external entity references in untrusted XML documents
  • When an application uses JSTL tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
  • Is my system vulnerable to CVE-2015-0254?

Resolution

EAP 6.x and EAP 7.0

Versions prior to 6.4.6 had no way of preventing processing of external entity references by JSTL <xml:*> tags in untrusted XML Documents. However this functionality has been added in version 6.4.6. In order to prevent it, pass this Java System Property to JBoss EAP 6.4.6 and later versions, including EAP 7.0:

   -Dorg.apache.taglibs.standard.xml.accessExternalEntity

RHEL

  • To address this issue an updated package must be installed, depending on RHEL version, and additional steps must be followed, depending on the Java version. Follow all the steps below for the versions pertaining to the affected systems:

RHEL 5

  • As RHEL 5 is in Maintenance Phase 3 no security fix for this issue is available.

RHEL 6

  • Upgrade to jakarta-taglibs-standard-1.1.1-11.7.el6_7.

RHEL 7

  • Upgrade to jakarta-taglibs-standard-1.1.2-14.el7_1

Java

Java 1.5

  • Once patched add -Dorg.apache.taglibs.standard.xml.accessExternalEntity= to the JAVA_OPTS of the middleware container in use; with this flag in place external access is disabled.
GCJ Java 1.5 (java-1.5.0-gcj)

  • If java-1.5.0-gcj is used to run java applications then, in addition to following the above step to add the java option, the following will need to be completed.

  • Even with this configuration applications using jakarta are still vulnerable to other kinds of attacks; to make these applications more secure a parser which supports FEATURE_SECURE_PROCESSING must be used (e.g. xerces-j2).

    • If this parser is decided to be used then the following flags should be added to the JAVA_OPTS:
    -Dorg.apache.taglibs.standard.xml.accessExternalEntity= 
-Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl 
-Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImp
    • Additionally, java must be made aware of the xerces-j2 XML parser, meaning that the application should be deployed with the /usr/share/java/xerces-j2.jar, included with the xerces-j2 package.

Java 1.6

  • Once patched add -Dorg.apache.taglibs.standard.xml.accessExternalEntity= to the JAVA_OPTS of the middleware container in use; with this flag in place external access is disabled.

Java 1.7

  • Once patched add -Djavax.xml.accessExternalDTD= to the JAVA_OPTS of the middleware container in use; with this flag in place external access is disabled.

Java 1.8

  • No further steps are necessary, as access to external entities is disabled by default when FEATURE_SECURE_PROCESSING (enabled by this patch) is active. If access to external resources is required then -Djavax.xml.accessExternalDTD=all may be used to avoid application breakage.

Note: The java options outlined above defines which external resources may be made available. With no entries following the = character this disables external access. In addition, not all Java applications honor JAVA_OPTS; consult the documentation of your middleware container to determine how to set additional JVM system properties.

See this Oracle article for an additional information on possible values of -Djavax.xml.accessExternalDTD: Content from docs.oracle.com is not included.New properties tutorial

Root Cause

  • A known security issue exists where the Java Standard Tag Library (JSTL) allowed the processing of external entity references in untrusted XML documents which could access resources on the host system and, potentially, allowing arbitrary code execution.
  • This issue is documented under This content is not included.BZ 1198606.
SBR
Product(s)
Components
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.