Important CentOS xalan-j2 Update

Metadata

high
7.5
xalan-j2-2.7.0-6jpp.2.i386.rpm, xalan-j2-2.7.0-6jpp.2.src.rpm, xalan-j2-2.7.0-6jpp.2.x86_64.rpm, xalan-j2-2.7.0-9.9.el6_5.noarch.rpm, xalan-j2-2.7.0-9.9.el6_5.src.rpm, xalan-j2-demo-2.7.0-6jpp.2.i386.rpm, xalan-j2-demo-2.7.0-6jpp.2.x86_64.rpm, xalan-j2-demo-2.7.0-9.9.el6_5.noarch.rpm, xalan-j2-javadoc-2.7.0-6jpp.2.i386.rpm, xalan-j2-javadoc-2.7.0-6jpp.2.x86_64.rpm, xalan-j2-javadoc-2.7.0-9.9.el6_5.noarch.rpm, xalan-j2-manual-2.7.0-6jpp.2.i386.rpm, xalan-j2-manual-2.7.0-6jpp.2.x86_64.rpm, xalan-j2-manual-2.7.0-9.9.el6_5.noarch.rpm, xalan-j2-xsltc-2.7.0-6jpp.2.i386.rpm, xalan-j2-xsltc-2.7.0-6jpp.2.x86_64.rpm, xalan-j2-xsltc-2.7.0-9.9.el6_5.noarch.rpm
CVE-2014-0107
rhn.redhat.com, lists.centos.org, lists.centos.org
2014-04-02
2017-07-27 19:06
ALAS-2014-325
CVE-2014-0107 libxalan2-java
CVE-2014-0107
2017-04-01 19:07
2017-01-05 20:11

Description


Updated xalan-j2 packages that fix one security issue are now available for
Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types.

It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features.
A remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)

All xalan-j2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
6 xalan-j2 xalan-j2-2.7.0-9.9.el6_5.noarch.rpm
xalan-j2 xalan-j2-2.7.0-9.9.el6_5.src.rpm
xalan-j2-demo xalan-j2-demo-2.7.0-9.9.el6_5.noarch.rpm
xalan-j2-javadoc xalan-j2-javadoc-2.7.0-9.9.el6_5.noarch.rpm
xalan-j2-manual xalan-j2-manual-2.7.0-9.9.el6_5.noarch.rpm
xalan-j2-xsltc xalan-j2-xsltc-2.7.0-9.9.el6_5.noarch.rpm
unknown xalan-j2 xalan-j2-2.7.0-6jpp.2.i386.rpm
xalan-j2 xalan-j2-2.7.0-6jpp.2.src.rpm
xalan-j2 xalan-j2-2.7.0-6jpp.2.x86_64.rpm
xalan-j2-demo xalan-j2-demo-2.7.0-6jpp.2.i386.rpm
xalan-j2-demo xalan-j2-demo-2.7.0-6jpp.2.x86_64.rpm
xalan-j2-javadoc xalan-j2-javadoc-2.7.0-6jpp.2.x86_64.rpm
xalan-j2-javadoc xalan-j2-javadoc-2.7.0-6jpp.2.i386.rpm
xalan-j2-manual xalan-j2-manual-2.7.0-6jpp.2.i386.rpm
xalan-j2-manual xalan-j2-manual-2.7.0-6jpp.2.x86_64.rpm
xalan-j2-xsltc xalan-j2-xsltc-2.7.0-6jpp.2.i386.rpm
xalan-j2-xsltc xalan-j2-xsltc-2.7.0-6jpp.2.x86_64.rpm