CVE-2014-0107 — Improper Authorization in Apache Xalan-Java

Description

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

How to fix CVE-2014-0107

To remediate CVE-2014-0107, upgrade the affected package to a fixed version below.

—upgrade to 2.7.1-9 or later
—upgrade to 2.7.1-5+deb6u1 or later
—upgrade to 2.7.2 or later

Is CVE-2014-0107 being exploited?

Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 2.7.1-9
from 0, < 2.7.1-5+deb6u1
from 0, < 2.7.2

References (29)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0107
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-0107
PATCHgithub.com/apache/xalan-java
WEBrhn.redhat.com/errata/RHSA-2014-0348.html
WEB