Apache Standard Taglibs is prone to an XML External Entity injection vulnerability.
Attackers can exploit this issue to gain access to sensitive information or execute arbitrary code in the context of the affected application.
Versions prior to Apache Standard Taglibs 1.2.3 are vulnerable.
Information
Ubuntu Ubuntu Linux 14.04 LTS
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node 7
Redhat Enterprise Linux HPC Node 6
Redhat Enterprise Linux Desktop 7
Redhat Enterprise Linux Desktop 6
Oracle Enterprise Linux 7
openSUSE Linux Enterprise Server for Raspberry Pi 12-SP2
openSUSE Linux Enterprise Server 12-SP2
IBM WebSphere Application Server Liberty Profile 8.5.5
IBM Websphere Application Server 8.5.5
IBM Websphere Application Server 8.0 2
IBM Websphere Application Server 7.0 3
IBM Websphere Application Server 7.0 29
IBM Websphere Application Server 7.0 21
IBM Websphere Application Server 7.0 10
IBM Websphere Application Server 7.0 .9
IBM Websphere Application Server 7.0 .8
IBM Websphere Application Server 7.0 .2
IBM Websphere Application Server 7.0 .13
IBM Websphere Application Server 7.0 .12
IBM Websphere Application Server 7.0 .11
IBM Websphere Application Server 6.1 41
IBM Websphere Application Server 6.1 .9
IBM Websphere Application Server 6.1 .8
IBM Websphere Application Server 6.1 .7
IBM Websphere Application Server 6.1 .6
IBM Websphere Application Server 6.1 .5
IBM Websphere Application Server 6.1 .4
IBM Websphere Application Server 6.1 .33
IBM Websphere Application Server 6.1 .32
IBM Websphere Application Server 6.1 .3
IBM Websphere Application Server 6.1 .25
IBM Websphere Application Server 6.1 .23
IBM Websphere Application Server 6.1 .22
IBM Websphere Application Server 6.1 .21
IBM Websphere Application Server 6.1 .20
IBM Websphere Application Server 6.1 .2
IBM Websphere Application Server 6.1 .19
IBM Websphere Application Server 6.1 .18
IBM Websphere Application Server 6.1 .17
IBM Websphere Application Server 6.1 .15
IBM Websphere Application Server 6.1 .14
IBM Websphere Application Server 6.1 .13
IBM Websphere Application Server 6.1 .12
IBM Websphere Application Server 6.1 .11
IBM Websphere Application Server 6.1 .10
IBM Websphere Application Server 6.1 .1
IBM Websphere Application Server 6.1
IBM Websphere Application Server 8.5.5.9 - Liberty Pr
IBM Websphere Application Server 8.5.5.9
IBM Websphere Application Server 8.5.5.8 - Liberty Pr
IBM Websphere Application Server 8.5.5.8
IBM Websphere Application Server 8.5.5.7 - Liberty Pr
IBM Websphere Application Server 8.5.5.7
IBM Websphere Application Server 8.5.5.6 - Liberty Pr
IBM Websphere Application Server 8.5.5.6
IBM Websphere Application Server 8.5.5.5 - Liberty Pr
IBM Websphere Application Server 8.5.5.5
IBM Websphere Application Server 8.5.5.4 - Liberty Pr
IBM Websphere Application Server 8.5.5.4
IBM Websphere Application Server 8.5.5.3 - ~~Liberty
IBM Websphere Application Server 8.5.5.3
IBM Websphere Application Server 8.5.5.2 - Liberty Pr
IBM Websphere Application Server 8.5.5.2
IBM Websphere Application Server 8.5.5.1 - Liberty Pr
IBM Websphere Application Server 8.5.5.1
IBM Websphere Application Server 8.5.5.0 - Liberty Pr
IBM Websphere Application Server 8.5.0.2 - Liberty Pr
IBM Websphere Application Server 8.5.0.2
IBM Websphere Application Server 8.5.0.1 - Liberty Pr
IBM Websphere Application Server 8.5.0.1
IBM Websphere Application Server 8.5.0.0 - Liberty Pr
IBM Websphere Application Server 8.5.0.0
IBM Websphere Application Server 8.0.0.9
IBM Websphere Application Server 8.0.0.8
IBM Websphere Application Server 8.0.0.7
IBM Websphere Application Server 8.0.0.6
IBM Websphere Application Server 8.0.0.5
IBM Websphere Application Server 8.0.0.4
IBM Websphere Application Server 8.0.0.3
IBM Websphere Application Server 8.0.0.12
IBM Websphere Application Server 8.0.0.11
IBM Websphere Application Server 8.0.0.10
IBM Websphere Application Server 8.0.0.1
IBM Websphere Application Server 8.0.0.0
IBM Websphere Application Server 7.0.0.7
IBM Websphere Application Server 7.0.0.6
IBM Websphere Application Server 7.0.0.5
IBM Websphere Application Server 7.0.0.41
IBM Websphere Application Server 7.0.0.4
IBM Websphere Application Server 7.0.0.39
IBM Websphere Application Server 7.0.0.37
IBM Websphere Application Server 7.0.0.35
IBM Websphere Application Server 7.0.0.34
IBM Websphere Application Server 7.0.0.33
IBM Websphere Application Server 7.0.0.32
IBM Websphere Application Server 7.0.0.31
IBM Websphere Application Server 7.0.0.27
IBM Websphere Application Server 7.0.0.25
IBM Websphere Application Server 7.0.0.24
IBM Websphere Application Server 7.0.0.23
IBM Websphere Application Server 7.0.0.22
IBM Websphere Application Server 7.0.0.19
IBM Websphere Application Server 7.0.0.18
IBM Websphere Application Server 7.0.0.17
IBM Websphere Application Server 7.0.0.16
IBM Websphere Application Server 7.0.0.15
IBM Websphere Application Server 7.0.0.14
IBM Websphere Application Server 7.0.0.1
IBM Websphere Application Server 7.0.0.0
IBM Websphere Application Server 7.0
IBM Websphere Application Server 6.1.0.47
IBM Websphere Application Server 6.1.0.45
IBM Websphere Application Server 6.1.0.43
IBM Websphere Application Server 6.1.0.39
IBM Websphere Application Server 6.1.0.37
IBM Websphere Application Server 6.1.0.35
IBM Websphere Application Server 6.1.0.34
IBM Websphere Application Server 6.1.0.31
IBM Websphere Application Server 6.1.0.29
IBM Websphere Application Server 6.1.0.27
IBM Tivoli Storage Productivity Center 5.2.10
IBM Tivoli Storage Productivity Center 5.2.6
IBM Tivoli Storage Productivity Center 5.2.5
IBM Tivoli Storage Productivity Center 5.2.2
IBM Tivoli Storage Productivity Center 5.2.1 0
IBM Tivoli Storage Productivity Center 5.2
IBM Tivoli Storage Productivity Center 5.1.1 3
IBM Tivoli Storage Productivity Center 5.1.1
IBM Tivoli Storage Productivity Center 5.1
IBM Tivoli Storage Productivity Center 5.2.7.1
IBM Tivoli Storage Productivity Center 5.2.7
IBM Tivoli Storage Productivity Center 5.2.5.1
IBM Tivoli Storage Productivity Center 5.2.4.1
IBM Tivoli Storage Productivity Center 5.2.4
IBM Tivoli Storage Productivity Center 5.2.3
IBM Tivoli Storage Productivity Center 5.2.1.1
IBM Tivoli Storage Productivity Center 5.1.1.9
IBM Tivoli Storage Productivity Center 5.1.1.8
IBM Tivoli Storage Productivity Center 5.1.1.7
IBM Tivoli Storage Productivity Center 5.1.1.6
IBM Tivoli Storage Productivity Center 5.1.1.5
IBM Tivoli Storage Productivity Center 5.1.1.4
IBM Tivoli Storage Productivity Center 5.1.1.2
IBM Tivoli Storage Productivity Center 5.1.1.10
IBM Tivoli Storage Productivity Center 5.1.1.1
IBM Tivoli Storage Productivity Center 5.1.1.0
IBM Tivoli Monitoring 6.2.2
IBM Tivoli Enterprise portal server -
IBM Spectrum Control 5.2.11
IBM Spectrum Control 5.2.10
IBM Spectrum Control 5.2.9
IBM Spectrum Control 5.2.8
IBM Spectrum Control 5.2.10.1
IBM Liberty for Java for Bluemix 2.9
IBM Liberty for Java for Bluemix 2.7
IBM Liberty for Java for Bluemix 2.6
IBM Liberty for Java for Bluemix 2.3
IBM InfoSphere Information Server 9.1
IBM InfoSphere Information Server 8.7
IBM InfoSphere Information Server 11.5
IBM InfoSphere Information Server 11.3
IBM Global Retention Policy and Schedule Management 6.0.2
IBM Global Retention Policy and Schedule Management 6.0.1 .6
IBM Global Retention Policy and Schedule Management 6.0.3.3
IBM Global Retention Policy and Schedule Management 6.0.3
IBM Global Retention Policy and Schedule Management 6.0.1.5
IBM Global Retention Policy and Schedule Management 6.0.1.4
IBM FastBack for Workstations Central Administration Console 7.1
IBM FastBack for Workstations Central Administration Console 6.3
IBM Disposal and Governance Management for IT 6.0.2
IBM Disposal and Governance Management for IT 6.0.1 .6
IBM Disposal and Governance Management for IT 6.0.3.3
IBM Disposal and Governance Management for IT 6.0.3
IBM Disposal and Governance Management for IT 6.0.1.5
IBM Disposal and Governance Management for IT 6.0.1.4
IBM Content Integrator 8.6
IBM Bluemix Liberty for Java 2.3
IBM Bluemix Liberty for Java 2.2
IBM Bluemix Liberty for Java 2.1
IBM Bluemix Liberty for Java 2.0
IBM Bluemix Liberty for Java 1.9
IBM Bluemix Liberty for Java 1.8
IBM Bluemix Liberty for Java 1.7
IBM Bluemix Liberty for Java 1.6
IBM Bluemix Liberty for Java 1.5
IBM Bluemix Liberty for Java 1.3
IBM Atlas eDiscovery Process Management 6.0.2
IBM Atlas eDiscovery Process Management 6.0.1 .6
IBM Atlas eDiscovery Process Management 6.0.3.3
IBM Atlas eDiscovery Process Management 6.0.3
IBM Atlas eDiscovery Process Management 6.0.1.5
IBM Atlas eDiscovery Process Management 6.0.1.4
CentOS CentOS 6
Apache Standard Taglibs 1.2.1
IBM Websphere Application Server 8.0.0.13
IBM Websphere Application Server 7.0.0.43
Apache Standard Taglibs 1.2.3
Exploit
An attacker can exploit this issue using a web browser.
References:
- Apache Standard Taglib Home Page (Apache)
- [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags (Seclists.org)
- Important: jakarta-taglibs-standard security update (Red Hat)
- Security Bulletin: OpenSource Apache Taglibs Vulnerability affects Atlas Policy (IBM)
- swg21978495: Vulnerability in Apache Standard Taglibs affects IBM WebSphere Appl (IBM)
- swg21984732: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-20 (IBM)
- swg21984977: Security Bulletin: Multiple security vulnerabilities affect IBM We (IBM)
- swg21985531:Vulnerability in Apache Standard Taglibs affects Liberty for Java fo (IBM)
- swg21986309:OpenSource Apache Taglibs Vulnerability in FastBack for Workstations (IBM)
- swg21986898:Vulnerability in Apache Taglibs affects IBM InfoSphere Information S (IBM)
- swg21988644: OpenSource Apache Taglibs vulnerability affect IBM Spectrum Control (IBM)
- swg21993243: A Vulnerability in OpenSource Apache Taglibs Vulnerability affect C (IBM)