CVE-2014-0107
It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
Find out more about CVE-2014-0107 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6.2 | RHSA-2014:0454 | 2014-04-30 |
| Red Hat JBoss BRMS 6.0 | RHSA-2014:0818 | 2014-06-30 |
| Red Hat JBoss SOA Platform 5.3 | RHSA-2015:1888 | 2015-10-12 |
| Red Hat JBoss Portal 5.2 | RHSA-2014:1059 | 2014-08-14 |
| Red Hat JBoss BPMS 6.0 | RHSA-2014:0819 | 2014-06-30 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (xalan-j2-eap6) | RHSA-2014:0453 | 2014-04-30 |
| JBoss Enterprise BRMS Platform 5.3 | RHSA-2014:1007 | 2014-08-05 |
| Red Hat Enterprise Linux 6 (xalan-j2) | RHSA-2014:0348 | 2014-04-01 |
| Red Hat JBoss Fuse Service Works 6.0 | RHSA-2014:1995 | 2014-12-15 |
| Red Hat JBoss Fuse 6.1 | RHSA-2014:1351 | 2014-10-01 |
| Fuse ESB Enterprise 7.1.0 | RHSA-2014:1369 | 2014-10-09 |
| Red Hat JBoss Enterprise Application Platform 5.2 | RHSA-2014:0590 | 2014-06-02 |
| Red Hat JBoss BPMS 6.0 | RHSA-2014:1291 | 2014-09-23 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (xalan-j2-eap6) | RHSA-2014:0453 | 2014-04-30 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (xalan-j2) | RHSA-2014:0591 | 2014-06-02 |
| Fuse Management Console 7.1.0 | RHSA-2014:1369 | 2014-10-09 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (xalan-j2) | RHSA-2014:0591 | 2014-06-02 |
| Red Hat JBoss BRMS 6.0 | RHSA-2014:1290 | 2014-09-23 |
| Fuse MQ Enterprise 7.1.0 | RHSA-2014:1369 | 2014-10-09 |
| Red Hat JBoss Portal 6.2 | RHSA-2015:1009 | 2015-05-14 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (xalan-j2) | RHSA-2014:0591 | 2014-06-02 |
| Red Hat Enterprise Linux 5 (xalan-j2) | RHSA-2014:0348 | 2014-04-01 |
| Red Hat JBoss A-MQ 6.1 | RHSA-2014:1351 | 2014-10-01 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 5.5 | xalan-j2 | Will not fix |
| Red Hat Satellite 5.4 | xalan-j2 | Will not fix |
| Red Hat JBoss Operations Network 3 | xalan-j2 | Not affected |
| Red Hat JBoss Enterprise SOA Platform 4.3 | xalan-j2 | Will not fix |
| Red Hat JBoss EWS 1 | xalan-j2 | Affected |
| Red Hat JBoss EAP 4 | xalan-j2 | Will not fix |
| Red Hat JBoss Data Virtualization 6 | xalan-j2 | Not affected |
| Red Hat JBoss Data Grid 6 | xalan-j2 | Not affected |
| Red Hat Enterprise Linux 7 | xalan-j2 | Not affected |
| RHEV Manager 3 | jasperreports-server-pro | Not affected |