CVE Database

CVE-2014-0107

Impact: Important
Public: 2014-03-24
CWE: CWE-358
Bugzilla: 1080248: CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature

Details

It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.

Find out more about CVE-2014-0107 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 6.8
Base Metrics: AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Fuse ESB Enterprise 7.1.0 RHSA-2014:1369 October 09, 2014
Fuse MQ Enterprise 7.1.0 RHSA-2014:1369 October 09, 2014
Fuse Management Console 7.1.0 RHSA-2014:1369 October 09, 2014
JBoss Enterprise BRMS Platform 5.3 RHSA-2014:1007 August 05, 2014
Red Hat Enterprise Linux version 5 (xalan-j2) RHSA-2014:0348 April 01, 2014
Red Hat Enterprise Linux version 6 (xalan-j2) RHSA-2014:0348 April 01, 2014
Red Hat JBoss A-MQ 6.1 RHSA-2014:1351 October 01, 2014
Red Hat JBoss BPMS 6.0 RHSA-2014:0819 June 30, 2014
Red Hat JBoss BPMS 6.0 RHSA-2014:1291 September 23, 2014
Red Hat JBoss BRMS 6.0 RHSA-2014:0818 June 30, 2014
Red Hat JBoss BRMS 6.0 RHSA-2014:1290 September 23, 2014
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (xalan-j2) RHSA-2014:0591 June 02, 2014
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (xalan-j2) RHSA-2014:0591 June 02, 2014
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (xalan-j2) RHSA-2014:0591 June 02, 2014
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2014:0590 June 02, 2014
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (xalan-j2-eap6) RHSA-2014:0453 April 30, 2014
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (xalan-j2-eap6) RHSA-2014:0453 April 30, 2014
Red Hat JBoss Enterprise Application Platform 6.2 RHSA-2014:0454 April 30, 2014
Red Hat JBoss Fuse 6.1 RHSA-2014:1351 October 01, 2014
Red Hat JBoss Fuse Service Works 6.0 RHSA-2014:1995 December 15, 2014
Red Hat JBoss Portal 5.2 RHSA-2014:1059 August 14, 2014
Red Hat JBoss Portal 6.2 RHSA-2015:1009 May 14, 2015

External References

http://www.ocert.org/advisories/ocert-2014-002.html

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.