Xalan-Java library is prone to a security-bypass vulnerability.
Attackers can leverage this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.
Xalan-Java 2.7.0 and later are vulnerable.
Information
Ubuntu Ubuntu Linux 12.04 LTS i386
Ubuntu Ubuntu Linux 12.04 LTS amd64
Ubuntu Ubuntu Linux 10.04 sparc
Ubuntu Ubuntu Linux 10.04 powerpc
Ubuntu Ubuntu Linux 10.04 i386
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.04 amd64
SuSE SUSE Linux Enterprise Software Development Kit 11 SP3
SuSE SUSE Linux Enterprise Server for VMware 11 SP3
SuSE SUSE Linux Enterprise Server 11 SP3
SuSE Suse Linux Enterprise Desktop 11 SP3
Redhat JBoss Fuse Service Works 6.0.0
Redhat JBoss Enterprise Application Platform 5.2
Redhat JBoss Enterprise Application Platform 6.2 EL6
Redhat JBoss Enterprise Application Platform 6.2 EL5
Redhat JBoss Enterprise Application Platform 6 EL6
Redhat JBoss Enterprise Application Platform 6 EL5
Redhat JBoss Enterprise Application Platform 5 EL6
Redhat JBoss Enterprise Application Platform 5 EL5
Redhat JBoss Enterprise Application Platform 5 EL4
Redhat JBoss BRMS 6.0.2
Redhat JBoss BRMS 6.0.1
Redhat JBoss BRMS 5.3.1
Redhat JBoss BPMS 6.0.2
Redhat JBoss BPMS 6.0.1
Redhat Enterprise Linux Workstation Optional 6
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server Optional 6
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node Optional 6
Redhat Enterprise Linux Desktop Workstation 5 client
Redhat Enterprise Linux Desktop Optional 6
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux 5 Server
Oracle Weblogic Server 12.1.3
Oracle Weblogic Server 12.1.2 0
Oracle Weblogic Server 10.3.6 0
Oracle WebCenter Sites 11.1.1 8.0
Oracle WebCenter Sites 7.6.2
Oracle Enterprise Linux 6.2
Oracle Enterprise Linux 6
Oracle Communications WebRTC Session Controller 7.2
Oracle Communications WebRTC Session Controller 7.1
Oracle Communications WebRTC Session Controller 7.0
Juniper Security Threat Response Manager 2013.2
Juniper Secure Analytics 2013.2
IBM Tivoli Netcool Configuration Manager 6.4.1
IBM Tivoli Netcool Configuration Manager 6.3
IBM Tivoli Netcool Configuration Manager 6.4
IBM Tivoli Netcool Configuration Manager 6.2
IBM Sterling Secure Proxy 3.4.1 .7
IBM Sterling Secure Proxy 3.3.1 Patch 23 iFix04
IBM Sterling Secure Proxy 3.4.1.8 iFix03
IBM Sterling Secure Proxy 3.4.1.8
IBM Sterling Secure Proxy 3.4.1.6
IBM Sterling Secure Proxy 3.4.1.5
IBM Sterling Secure Proxy 3.4.1.2
IBM Sterling Secure Proxy 3.4.1
IBM Sterling Secure Proxy 3.4.0.6 iFix04
IBM Sterling Secure Proxy 3.4.0.6
IBM Sterling Secure Proxy 3.3.01
IBM Sterling File Gateway 2.1
IBM Sterling External Authentication Server 2.4.1 8
IBM Sterling External Authentication Server 2.4.1 7
IBM Sterling External Authentication Server 2.4.1
IBM Sterling External Authentication Server 2.4 4
IBM Sterling External Authentication Server 2.3.1 Patch 11 iFix 03
IBM Sterling External Authentication Server 2.3.1
IBM Sterling External Authentication Server 2.4.1.8 iFix 02
IBM Sterling External Authentication Server 2.4.1.1
IBM Sterling External Authentication Server 2.4.0.4 iFix 04
IBM Sterling External Authentication Server 2.4.0
IBM Sterling Control Center 5.2.11
IBM Sterling Control Center 5.2
IBM Sterling B2B Integrator 5.1
IBM QRadar Security Information and Event Manager 7.2 MR2
IBM QRadar Security Information and Event Manager 7.1MR2
IBM Filenet P8 Application Engine 4.0.2
IBM FileNet Content Manager Workplace XT 1.1.5
IBM FileNet Content Manager Workplace XT 1.1.4
IBM FileNet Content Manager Workplace XT 1.1.3
IBM FileNet Content Manager Workplace XT 1.1.2
IBM FileNet Content Manager Workplace XT 1.1.1
IBM FileNet Content Manager Content Engine 5.2.0
IBM FileNet Business Process Manager 5.1
IBM FileNet Business Process Manager 5.0
IBM FileNet Business Process Framework 4.1
IBM Distributed Marketing 8.6
IBM Distributed Marketing 8.5
IBM Distributed Marketing 8.2
IBM Distributed Marketing 8.0
IBM Distributed Marketing 7.5
IBM Content Navigator 2.0.2
IBM Content Navigator 2.0.1
IBM Content Navigator 2.0
IBM Cognos Metrics Manager 10.2.1
IBM Cognos Metrics Manager 10.2
IBM Cognos Metrics Manager 10.1.1
IBM Cognos Metrics Manager 10.1
IBM Cognos Incentive Compensation Management 8.0.4
IBM Cognos Incentive Compensation Management 8.0.3
IBM Cognos Incentive Compensation Management 8.0.2
IBM Cognos Incentive Compensation Management 8.0.1
IBM Cognos Incentive Compensation Management 7.3
IBM Cognos Incentive Compensation Management 7.2.1
IBM Cognos Incentive Compensation Management 8.0
IBM Cognos Express 9.5
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Business Intelligence Server 10.2.1 1
IBM Cognos Business Intelligence Server 10.2.1
IBM Cognos Business Intelligence Server 10.1.1
IBM Cognos Business Intelligence Server 10.2
IBM Cognos Business Intelligence Server 10.1
IBM Case Foundation 5.2
IBM Business Process Manager 8.5.5.0
IBM Algo One CWM 5.0
IBM Algo One CWM 4.9
HP SiteScope Monitors 11.32IP1
HP SiteScope Monitors 11.20
Gentoo Linux
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
CentOS CentOS 5
Avaya one-X Client Enablement Services 6.1 SP2
Avaya one-X Client Enablement Services 6.1
Avaya Aura System Manager 6.2.3
Avaya Aura System Manager 6.2
Avaya Aura System Manager 6.1.5
Avaya Aura System Manager 6.1.3
Avaya Aura System Manager 6.1.2
Avaya Aura System Manager 6.1.1
Avaya Aura System Manager 6.1
Apache Xalan-java 2.7.1
Apache Xalan-java 2.7
Apache Xalan-java 2.5.1
Apache Xalan-java 2.6.0
Apache Xalan-java 2.5.2
Apache Xalan-java 2.5.0
Apache Xalan-java 2.4.1
Apache Xalan-java 2.4.0
Apache Xalan-java 2.2.0
Apache Xalan-java 2.1.0
Apache Xalan-java 2.0.1
Apache Xalan-java 2.0.0
Apache Xalan-java 1.0.0
Redhat JBoss BPMS 6.0.3
Juniper Security Threat Response Manager 2013.2R8
Juniper Secure Analytics 2014.2R3
Juniper Secure Analytics 2014.2R2
Juniper Secure Analytics 2013.2R8
IBM Sterling Control Center 5.2.12
IBM Cognos Incentive Compensation Management 8.0.4 82256
IBM Cognos Incentive Compensation Management 8.0.3 82254
IBM Cognos Incentive Compensation Management 8.0.2 82251
IBM Cognos Incentive Compensation Management 8.0.1 82249
IBM Cognos Incentive Compensation Management 8.0 82227
IBM Cognos Incentive Compensation Management 7.3 82226
IBM Cognos Incentive Compensation Management 7.2.1 82225
Exploit
An attacker can exploit this issue using readily available tools.
References:
- Cognos BI Server is affected by the following vulnerabilities (IBM)
- Juniper Secure Analytics (JSA)/Security Threat Response Manager (STRM): Multiple (Juniper)
- Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as (IBM)
- Use of secure processing feature should disable some output properties (Apache)
- Vulnerabilities in IBM Business Process Manager (BPM) DocumentStore administrati (IBM)
- xalan-j2 security update (RHSA-2014-0348) (Avaya)
- Xalan-Java Homepage (Apache Software Foundation)
- #2014-002 Xalan-Java insufficient secure processing (ocert)
- HPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote Denial o (IBM)
- IBM FileNet Content Manager, IBM Content Foundation and FileNet Process Engine (IBM)
- Open Source Apache Xalan-Java reported in April X-Force Report in IBM Content Na (IBM)
- Oracle Critical Patch Update Advisory - January 2016 (Oracle)
- Oracle Critical Patch Update Advisory - October 2017 (Oracle)
- Red Hat JBoss BPM Suite 6.0.2 update (Red Hat)
- Red Hat JBoss BRMS 6.0.2 update (Red hat)
- RHSA-2014:1007-1 Important: Red Hat JBoss BRMS 5.3.1 update (Red Hat)
- RHSA-2014:1290-1 Important: Red Hat JBoss BRMS 6.0.3 update (Red Hat)
- Security Advisory Important: JBoss Enterprise Portal Platform 5.2.2 security upd (Red Hat)
- Security Advisory Important: Red Hat JBoss Enterprise Application Platform 5.2.0 (Red Hat)
- Security Advisory Important: Red Hat JBoss Enterprise Application Platform 5.2.0 (Red Hat)
- Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as (IBM)
- Security Bulletin: IBM Algo One - Algo Risk Application ("ARA") is affected by a (IBM)
- Security Bulletin: IBM Case Foundation â?? Open Source Apache Xalan-Java reported (IBM)
- Security Bulletin: IBM Cognos Express is affected by the following vulnerability (IBM)
- Security Bulletin: IBM Cognos Metrics Manager is affected by a vulnerability in (IBM)
- Security Bulletin: IBM Distributed Marketing is affected by a vulnerability in A (IBM)
- Security Bulletin: IBM FileNet Business Process Framework is affected by a vulne (IBM)
- Security Bulletin: IBM FileNet Business Process Manager â?? Open Source Apache Xal (IBM)
- Security Bulletin: IBM Tivoli Netcool Configuration Manager, Open Source Apache (IBM)
- Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling Exter (IBM)
- Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling Secur (IBM)
- Security Bulletin: Open Source Apache Xalan-Java in FileNet P8 Application Engin (IBM)
- Security Bulletin: Open Source Apache Xalan-Java in Workplace XT (IBM)
- Security Bulletin: Vulnerability exists in Apache-Xalan-Java used in IBM Sterlin (IBM)
- Security exposure in IBM Cognos Incentive Compensation Management (CVE-2014-0107 (IBM)