Apache Xalan-Java Library CVE-2014-0107 Security Bypass Vulnerability

Xalan-Java library is prone to a security-bypass vulnerability.

Attackers can leverage this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.

Xalan-Java 2.7.0 and later are vulnerable.

Information

Bugtraq ID: 66397
Class: Input Validation Error
CVE: CVE-2014-0107

Remote: Yes
Local: No
Published: Mar 24 2014 12:00AM
Updated: Oct 18 2017 05:03AM
Credit: Nicolas Gregoire
Vulnerable: Ubuntu Ubuntu Linux 13.10
Ubuntu Ubuntu Linux 12.04 LTS i386
Ubuntu Ubuntu Linux 12.04 LTS amd64
Ubuntu Ubuntu Linux 10.04 sparc
Ubuntu Ubuntu Linux 10.04 powerpc
Ubuntu Ubuntu Linux 10.04 i386
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.04 amd64
SuSE SUSE Linux Enterprise Software Development Kit 11 SP3
SuSE SUSE Linux Enterprise Server for VMware 11 SP3
SuSE SUSE Linux Enterprise Server 11 SP3
SuSE Suse Linux Enterprise Desktop 11 SP3
Redhat JBoss Fuse Service Works 6.0.0
Redhat JBoss Enterprise Application Platform 5.2
Redhat JBoss Enterprise Application Platform 6.2 EL6
Redhat JBoss Enterprise Application Platform 6.2 EL5
Redhat JBoss Enterprise Application Platform 6 EL6
Redhat JBoss Enterprise Application Platform 6 EL5
Redhat JBoss Enterprise Application Platform 5 EL6
Redhat JBoss Enterprise Application Platform 5 EL5
Redhat JBoss Enterprise Application Platform 5 EL4
Redhat JBoss BRMS 6.0.2
Redhat JBoss BRMS 6.0.1
Redhat JBoss BRMS 5.3.1
Redhat JBoss BPMS 6.0.2
Redhat JBoss BPMS 6.0.1
Redhat Enterprise Linux Workstation Optional 6
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server Optional 6
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node Optional 6
Redhat Enterprise Linux Desktop Workstation 5 client
Redhat Enterprise Linux Desktop Optional 6
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux 5 Server
Oracle Weblogic Server 12.1.3
Oracle Weblogic Server 12.1.2 0
Oracle Weblogic Server 10.3.6 0
Oracle WebCenter Sites 11.1.1 8.0
Oracle WebCenter Sites 7.6.2
Oracle Enterprise Linux 6.2
Oracle Enterprise Linux 6
Oracle Communications WebRTC Session Controller 7.2
Oracle Communications WebRTC Session Controller 7.1
Oracle Communications WebRTC Session Controller 7.0
Juniper Security Threat Response Manager 2013.2
Juniper Secure Analytics 2013.2
IBM Tivoli Netcool Configuration Manager 6.4.1
IBM Tivoli Netcool Configuration Manager 6.3
IBM Tivoli Netcool Configuration Manager 6.4
IBM Tivoli Netcool Configuration Manager 6.2
IBM Sterling Secure Proxy 3.4.1 .7
IBM Sterling Secure Proxy 3.3.1 Patch 23 iFix04
IBM Sterling Secure Proxy 3.4.1.8 iFix03
IBM Sterling Secure Proxy 3.4.1.8
IBM Sterling Secure Proxy 3.4.1.6
IBM Sterling Secure Proxy 3.4.1.5
IBM Sterling Secure Proxy 3.4.1.2
IBM Sterling Secure Proxy 3.4.1
IBM Sterling Secure Proxy 3.4.0.6 iFix04
IBM Sterling Secure Proxy 3.4.0.6
IBM Sterling Secure Proxy 3.3.01
IBM Sterling File Gateway 2.1
IBM Sterling External Authentication Server 2.4.1 8
IBM Sterling External Authentication Server 2.4.1 7
IBM Sterling External Authentication Server 2.4.1
IBM Sterling External Authentication Server 2.4 4
IBM Sterling External Authentication Server 2.3.1 Patch 11 iFix 03
IBM Sterling External Authentication Server 2.3.1
IBM Sterling External Authentication Server 2.4.1.8 iFix 02
IBM Sterling External Authentication Server 2.4.1.1
IBM Sterling External Authentication Server 2.4.0.4 iFix 04
IBM Sterling External Authentication Server 2.4.0
IBM Sterling Control Center 5.2.11
IBM Sterling Control Center 5.2
IBM Sterling B2B Integrator 5.1
IBM QRadar Security Information and Event Manager 7.2 MR2
IBM QRadar Security Information and Event Manager 7.1MR2
IBM Filenet P8 Application Engine 4.0.2
IBM FileNet Content Manager Workplace XT 1.1.5
IBM FileNet Content Manager Workplace XT 1.1.4
IBM FileNet Content Manager Workplace XT 1.1.3
IBM FileNet Content Manager Workplace XT 1.1.2
IBM FileNet Content Manager Workplace XT 1.1.1
IBM FileNet Content Manager Content Engine 5.2.0
IBM FileNet Business Process Manager 5.1
IBM FileNet Business Process Manager 5.0
IBM FileNet Business Process Framework 4.1
IBM Distributed Marketing 8.6
IBM Distributed Marketing 8.5
IBM Distributed Marketing 8.2
IBM Distributed Marketing 8.0
IBM Distributed Marketing 7.5
IBM Content Navigator 2.0.2
IBM Content Navigator 2.0.1
IBM Content Navigator 2.0
IBM Cognos Metrics Manager 10.2.1
IBM Cognos Metrics Manager 10.2
IBM Cognos Metrics Manager 10.1.1
IBM Cognos Metrics Manager 10.1
IBM Cognos Incentive Compensation Management 8.0.4
IBM Cognos Incentive Compensation Management 8.0.3
IBM Cognos Incentive Compensation Management 8.0.2
IBM Cognos Incentive Compensation Management 8.0.1
IBM Cognos Incentive Compensation Management 7.3
IBM Cognos Incentive Compensation Management 7.2.1
IBM Cognos Incentive Compensation Management 8.0
IBM Cognos Express 9.5
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Business Intelligence Server 10.2.1 1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1
IBM Case Foundation 5.2
IBM Business Process Manager 8.5.5.0
IBM Algo One CWM 5.0
IBM Algo One CWM 4.9
HP SiteScope Monitors 11.32IP1
HP SiteScope Monitors 11.20
Gentoo Linux
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
CentOS CentOS 5
Avaya one-X Client Enablement Services 6.1 SP2
Avaya one-X Client Enablement Services 6.1
Avaya Aura System Manager 6.2.3
Avaya Aura System Manager 6.2
Avaya Aura System Manager 6.1.5
Avaya Aura System Manager 6.1.3
Avaya Aura System Manager 6.1.2
Avaya Aura System Manager 6.1.1
Avaya Aura System Manager 6.1
Apache Xalan-java 2.7.1
Apache Xalan-java 2.7
Apache Xalan-java 2.5.1
Apache Xalan-java 2.6.0
Apache Xalan-java 2.5.2
Apache Xalan-java 2.5.0
Apache Xalan-java 2.4.1
Apache Xalan-java 2.4.0
Apache Xalan-java 2.2.0
Apache Xalan-java 2.1.0
Apache Xalan-java 2.0.1
Apache Xalan-java 2.0.0
Apache Xalan-java 1.0.0

Not Vulnerable: Redhat JBoss BRMS 6.0.3
Redhat JBoss BPMS 6.0.3
Juniper Security Threat Response Manager 2013.2R8
Juniper Secure Analytics 2014.2R3
Juniper Secure Analytics 2014.2R2
Juniper Secure Analytics 2013.2R8
IBM Sterling Control Center 5.2.12
IBM Cognos Incentive Compensation Management 8.0.4 82256
IBM Cognos Incentive Compensation Management 8.0.3 82254
IBM Cognos Incentive Compensation Management 8.0.2 82251
IBM Cognos Incentive Compensation Management 8.0.1 82249
IBM Cognos Incentive Compensation Management 8.0 82227
IBM Cognos Incentive Compensation Management 7.3 82226
IBM Cognos Incentive Compensation Management 7.2.1 82225

Exploit

An attacker can exploit this issue using readily available tools.

References:

Source: www.securityfocus.com

Exploit Collector

Search Exploit