Bug 920813 (CVE-2015-0254)

Summary: VUL-0: CVE-2015-0254: jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Pedro Monreal Gonzalez <pmonrealgonzalez>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: jsegitz, krahmer, mc, moio, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/114435/
Whiteboard: CVSSv2:SUSE:CVE-2015-0254:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) maint:running:60928:important
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2015-0254.patch

Description Marcus Meissner 2015-03-05 09:48:53 UTC 
found in rh tracker:

The following flaw was found in Apache Standard Taglibs:

When an application uses <x:parse> or <x:transform> tags to process untrusted
XML documents, a request may utilize external entity references to access resources on the
host system or utilize XSLT extensions that may allow remote execution.

Upstream announcement:

https://mail-archives.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
https://bugzilla.redhat.com/show_bug.cgi?id=1198606
Comment 1 Swamp Workflow Management 2015-03-05 09:50:34 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60928
Comment 4 Swamp Workflow Management 2015-03-05 23:00:28 UTC 
bugbot adjusting priority
Comment 9 Tomáš Chvátal 2015-10-06 09:03:35 UTC 
Created attachment 650280 [details]
CVE-2015-0254.patch

From debian. Slightly refreshed.

I sent it to Factory, 13.2 and 13.1 for now.
Comment 10 Bernhard Wiedemann 2015-10-06 10:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (920813) was mentioned in
https://build.opensuse.org/request/show/336663 Factory / jakarta-taglibs-standard
https://build.opensuse.org/request/show/336664 13.2 / jakarta-taglibs-standard
https://build.opensuse.org/request/show/336665 13.1 / jakarta-taglibs-standard
Comment 11 Johannes Segitz 2015-10-06 10:02:25 UTC 
https://build.opensuse.org/request/show/336665
doesn't work for 13.1, please have a look at openSUSE:Maintenance:4073.
Comment 12 Tomáš Chvátal 2015-10-06 11:50:41 UTC 
(In reply to Johannes Segitz from comment #11)
> https://build.opensuse.org/request/show/336665
> doesn't work for 13.1, please have a look at openSUSE:Maintenance:4073.

Needs newer xalan, see sr#336705.
Comment 13 Swamp Workflow Management 2015-10-15 08:10:55 UTC 
openSUSE-SU-2015:1751-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 920813
CVE References: CVE-2015-0254
Sources used:
openSUSE 13.2 (src):    jakarta-taglibs-standard-1.1.1-255.3.1
openSUSE 13.1 (src):    jakarta-taglibs-standard-1.1.1-252.3.1, xalan-j2-2.7.2-262.7.1
Comment 17 Pedro Monreal Gonzalez 2017-06-02 09:28:39 UTC 
Packages submitted:

Maintained in   Version Request
---------------------------------
SLE-12:Update   1.1.1   mr#133577
SLE-11:Update   1.1.1   sr#133578
Comment 19 Swamp Workflow Management 2017-06-14 22:09:11 UTC 
SUSE-SU-2017:1568-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 920813
CVE References: CVE-2015-0254
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jakarta-taglibs-standard-1.1.1-255.2
SUSE Linux Enterprise Server 12-SP2 (src):    jakarta-taglibs-standard-1.1.1-255.2
Comment 20 Silvio Moioli 2017-06-15 13:51:09 UTC 
Tomas, Marcus,

this creates a regression in Manager and our spacewalk-java package does not build any more.

https://build.suse.de/package/live_build_log/Devel:Galaxy:Manager:3.1/spacewalk-java/SLE_12_SP2/x86_64

If you have any suggestion it is appreciated, as the patch is quite extensive and we are having a hard time figuring out how to fix this problem.

> might be possible in following months if Manager guys succeed with their plan to rule the world :)

Oh, we have no such plan, but we are able to build Maven-based packages since years already ;-)
Comment 21 Silvio Moioli 2017-06-19 06:10:57 UTC 
For reference, the regression in comment 20 is tracked in bug 1044804
Comment 22 Swamp Workflow Management 2017-06-26 22:11:25 UTC 
SUSE-SU-2017:1701-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 920813
CVE References: CVE-2015-0254
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    jakarta-taglibs-standard-1.1.1-234.31.1
Comment 23 Marcus Meissner 2017-06-27 05:54:24 UTC 
released