CVE-2014-0107
First published: Tue Mar 25 2014(Updated: )
Apache Xalan-Java could allow a remote attacker to bypass security restrictions, caused by the improper handling of output properties. An attacker could exploit this vulnerability to bypass the secure processing feature to load arbitrary restricted classes.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xalan-j2 | <2.7.2 | 2.7.2 |
| Apache Xalan-Java | <=2.7.1 | |
| Apache Xalan-Java | =1.0.0 | |
| Apache Xalan-Java | =2.0.0 | |
| Apache Xalan-Java | =2.0.1 | |
| Apache Xalan-Java | =2.1.0 | |
| Apache Xalan-Java | =2.2.0 | |
| Apache Xalan-Java | =2.4.0 | |
| Apache Xalan-Java | =2.4.1 | |
| Apache Xalan-Java | =2.5.0 | |
| Apache Xalan-Java | =2.5.1 | |
| Apache Xalan-Java | =2.5.2 | |
| Apache Xalan-Java | =2.6.0 | |
| Apache Xalan-Java | =2.7.0 | |
| Oracle WebCenter Sites | =7.6.2 | |
| Oracle WebCenter Sites | =11.1.1.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://issues.apache.org/jira/browse/XALANJ-2435
- http://svn.apache.org/viewvc?view=revision&revision=1581058
- http://www.ocert.org/advisories/ocert-2014-002.html
- https://rhn.redhat.com/errata/RHSA-2014-0348.html
- https://rhn.redhat.com/errata/RHSA-2014-0454.html
- https://rhn.redhat.com/errata/RHSA-2014-0453.html
- https://rhn.redhat.com/errata/RHSA-2014-0591.html
- https://rhn.redhat.com/errata/RHSA-2014-0590.html
- https://rhn.redhat.com/errata/RHSA-2014-0819.html
- https://rhn.redhat.com/errata/RHSA-2014-0818.html
- https://rhn.redhat.com/errata/RHSA-2014-1007.html
- https://rhn.redhat.com/errata/RHSA-2014-1059.html
- https://rhn.redhat.com/errata/RHSA-2014-1291.html
- https://rhn.redhat.com/errata/RHSA-2014-1290.html
- https://rhn.redhat.com/errata/RHSA-2014-1351.html
- https://rhn.redhat.com/errata/RHSA-2014-1369.html
- https://rhn.redhat.com/errata/RHSA-2014-1995.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- https://rhn.redhat.com/errata/RHSA-2015-1888.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1080248
- http://rhn.redhat.com/errata/RHSA-2014-0348.html
- http://rhn.redhat.com/errata/RHSA-2014-1351.html
- http://rhn.redhat.com/errata/RHSA-2015-1888.html
- http://secunia.com/advisories/57563
- http://secunia.com/advisories/59036
- http://secunia.com/advisories/59151
- http://secunia.com/advisories/59247
- http://secunia.com/advisories/59290
- http://secunia.com/advisories/59291
- http://secunia.com/advisories/59369
- http://secunia.com/advisories/59515
- http://secunia.com/advisories/59711
- http://secunia.com/advisories/60502
- http://www-01.ibm.com/support/docview.wss?uid=swg21674334
- http://www-01.ibm.com/support/docview.wss?uid=swg21676093
- http://www-01.ibm.com/support/docview.wss?uid=swg21677145
- http://www-01.ibm.com/support/docview.wss?uid=swg21680703
- http://www-01.ibm.com/support/docview.wss?uid=swg21681933
- http://www.debian.org/security/2014/dsa-2886
- http://www.ibm.com/support/docview.wss?uid=swg21677967
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.securityfocus.com/bid/66397
- http://www.securitytracker.com/id/1034711
- http://www.securitytracker.com/id/1034716
- https://exchange.xforce.ibmcloud.com/vulnerabilities/92023
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b34c19e26b@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb9a346bca@%3Cdev.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/201604-02
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.tenable.com/security/tns-2018-15
- https://www.ibm.com/support/pages/node/7145492 (Advisory)
Frequently Asked Questions
What is the vulnerability in Apache Xalan-Java?
The vulnerability in Apache Xalan-Java is CVE-2014-0107.
How does CVE-2014-0107 impact Apache Xalan-Java?
CVE-2014-0107 can allow a remote attacker to bypass security restrictions and load arbitrary classes or access external resources.
What is the severity of CVE-2014-0107?
The severity of CVE-2014-0107 is high with a CVSS score of 7.
How can I fix the vulnerability in Apache Xalan-Java CVE-2014-0107?
To fix CVE-2014-0107, update your Apache Xalan-Java installation to version 2.7.2 or above.
Where can I find more information about CVE-2014-0107?
You can find more information about CVE-2014-0107 in the following references: [Link 1](https://issues.apache.org/jira/browse/XALANJ-2435), [Link 2](http://svn.apache.org/viewvc?view=revision&revision=1581058), [Link 3](http://www.ocert.org/advisories/ocert-2014-002.html).
- collector/redhat-bugzilla
- alias/CVE-2014-0107
- collector/nvd-index
- agent/weakness
- agent/event
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/apache
- canonical/apache xalan-java
- version/apache xalan-java/2.7.1
- version/apache xalan-java/1.0.0
- version/apache xalan-java/2.0.0
- version/apache xalan-java/2.0.1
- version/apache xalan-java/2.1.0
- version/apache xalan-java/2.2.0
- version/apache xalan-java/2.4.0
- version/apache xalan-java/2.4.1
- version/apache xalan-java/2.5.0
- version/apache xalan-java/2.5.1
- version/apache xalan-java/2.5.2
- version/apache xalan-java/2.6.0
- version/apache xalan-java/2.7.0
- vendor/oracle
- canonical/oracle webcenter sites
- version/oracle webcenter sites/7.6.2
- version/oracle webcenter sites/11.1.1.8.0