CVE-2015-0254
Find out more about CVE-2015-0254 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Users of EAP 6.x and 7.0 should upgrade to at least 6.4.9 and pass the following system property on startup to prevent XXE attacks in JSTL:
org.apache.taglibs.standard.xml.accessExternalEntity=false
For more details please see refer to this KCS solution:
https://access.redhat.com/solutions/1584363
CVSS v2 metrics
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
CVSS v3 metrics
| CVSS3 Base Score | 7.6 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | High |
| Availability Impact | Low |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2016:0122 | 2016-02-04 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2016:0121 | 2016-02-04 |
| Red Hat JBoss SOA Platform 5.3 | RHSA-2016:1376 | 2016-06-30 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2016:0123 | 2016-02-04 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) | RHSA-2016:0124 | 2016-02-04 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2016:0125 | 2016-02-04 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server | RHSA-2016:1838 | 2016-09-08 |
| Red Hat JBoss EAP 7 | RHSA-2016:1841 | 2016-09-08 |
| Red Hat Enterprise Linux 7 (jakarta-taglibs-standard) | RHSA-2015:1695 | 2015-08-31 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server | RHSA-2016:1839 | 2016-09-08 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2016:1840 | 2016-09-08 |
| Red Hat Enterprise Linux 6 (jakarta-taglibs-standard) | RHSA-2015:1695 | 2015-08-31 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2016:1840 | 2016-09-08 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-jetty | Affected |
| Red Hat Satellite 5.7 | jakarta-taglibs-standard | Not affected |
| Red Hat Satellite 5.6 | jakarta-taglibs-standard | Not affected |
| Red Hat Satellite 5.5 | jakarta-taglibs-standard | Not affected |
| Red Hat Satellite 5.4 | jakarta-taglibs-standard | Not affected |
| Red Hat JBoss Web Server 3.0 | tomcat7 | Not affected |
| Red Hat JBoss Operations Network 3 | jbossas | Will not fix |
| Red Hat JBoss EWS 1 | tomcat6 | Not affected |
| Red Hat JBoss EAP 5 | web | Affected |
| Red Hat JBoss BRMS 5 | web | Will not fix |
| Red Hat Enterprise Linux 7 | jetty | Affected |
| Red Hat Enterprise Linux 5 | jakarta-taglibs-standard | Affected |
Mitigation
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.
This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required:
Java8:
External entity access is automatically disabled if a SecurityManager is active.
Java7:
JAXP properties may need to be used to disable external access. See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier:
A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to "all" if no SecurityManager is present and to "" (thereby disabling access) if a SecurityManager is detected.
