Bug 920813 - (CVE-2015-0254) VUL-0: CVE-2015-0254: jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
(CVE-2015-0254)
VUL-0: CVE-2015-0254: jakarta-taglibs-standard: XXE and RCE via XSL extension...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Pedro Monreal Gonzalez
Security Team bot
https://smash.suse.de/issue/114435/
CVSSv2:SUSE:CVE-2015-0254:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-05 09:48 UTC by Marcus Meissner
Modified: 2020-06-11 12:18 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2015-0254.patch (86.80 KB, patch)
2015-10-06 09:03 UTC, Tomáš Chvátal
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-05 09:48:53 UTC
found in rh tracker:

The following flaw was found in Apache Standard Taglibs:

When an application uses <x:parse> or <x:transform> tags to process untrusted
XML documents, a request may utilize external entity references to access resources on the
host system or utilize XSLT extensions that may allow remote execution.

Upstream announcement:

https://mail-archives.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
https://bugzilla.redhat.com/show_bug.cgi?id=1198606
Comment 1 Swamp Workflow Management 2015-03-05 09:50:34 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60928
Comment 4 Swamp Workflow Management 2015-03-05 23:00:28 UTC
bugbot adjusting priority
Comment 9 Tomáš Chvátal 2015-10-06 09:03:35 UTC
Created attachment 650280 [details]
CVE-2015-0254.patch

From debian. Slightly refreshed.

I sent it to Factory, 13.2 and 13.1 for now.
Comment 10 Bernhard Wiedemann 2015-10-06 10:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (920813) was mentioned in
https://build.opensuse.org/request/show/336663 Factory / jakarta-taglibs-standard
https://build.opensuse.org/request/show/336664 13.2 / jakarta-taglibs-standard
https://build.opensuse.org/request/show/336665 13.1 / jakarta-taglibs-standard
Comment 11 Johannes Segitz 2015-10-06 10:02:25 UTC
https://build.opensuse.org/request/show/336665
doesn't work for 13.1, please have a look at openSUSE:Maintenance:4073.
Comment 12 Tomáš Chvátal 2015-10-06 11:50:41 UTC
(In reply to Johannes Segitz from comment #11)
> https://build.opensuse.org/request/show/336665
> doesn't work for 13.1, please have a look at openSUSE:Maintenance:4073.

Needs newer xalan, see sr#336705.
Comment 13 Swamp Workflow Management 2015-10-15 08:10:55 UTC
openSUSE-SU-2015:1751-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 920813
CVE References: CVE-2015-0254
Sources used:
openSUSE 13.2 (src):    jakarta-taglibs-standard-1.1.1-255.3.1
openSUSE 13.1 (src):    jakarta-taglibs-standard-1.1.1-252.3.1, xalan-j2-2.7.2-262.7.1
Comment 17 Pedro Monreal Gonzalez 2017-06-02 09:28:39 UTC
Packages submitted:

Maintained in   Version Request
---------------------------------
SLE-12:Update   1.1.1   mr#133577
SLE-11:Update   1.1.1   sr#133578
Comment 19 Swamp Workflow Management 2017-06-14 22:09:11 UTC
SUSE-SU-2017:1568-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 920813
CVE References: CVE-2015-0254
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    jakarta-taglibs-standard-1.1.1-255.2
SUSE Linux Enterprise Server 12-SP2 (src):    jakarta-taglibs-standard-1.1.1-255.2
Comment 20 Silvio Moioli 2017-06-15 13:51:09 UTC
Tomas, Marcus,

this creates a regression in Manager and our spacewalk-java package does not build any more.

https://build.suse.de/package/live_build_log/Devel:Galaxy:Manager:3.1/spacewalk-java/SLE_12_SP2/x86_64

If you have any suggestion it is appreciated, as the patch is quite extensive and we are having a hard time figuring out how to fix this problem.

> might be possible in following months if Manager guys succeed with their plan to rule the world :)

Oh, we have no such plan, but we are able to build Maven-based packages since years already ;-)
Comment 21 Silvio Moioli 2017-06-19 06:10:57 UTC
For reference, the regression in comment 20 is tracked in bug 1044804
Comment 22 Swamp Workflow Management 2017-06-26 22:11:25 UTC
SUSE-SU-2017:1701-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 920813
CVE References: CVE-2015-0254
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    jakarta-taglibs-standard-1.1.1-234.31.1
Comment 23 Marcus Meissner 2017-06-27 05:54:24 UTC
released