CVE-2014-0107

Publication date 15 April 2014

Last updated 24 July 2024

Ubuntu priority

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libxalan2-java	14.04 LTS trusty	Not affected
	13.10 saucy	Fixed 2.7.1-8ubuntu0.1
	12.10 quantal	Ignored end of life
	12.04 LTS precise	Fixed 2.7.1-7ubuntu0.1
	10.04 LTS lucid	Fixed 2.7.1-5ubuntu1.1

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libxalan2-java	Upstream: http://svn.apache.org/viewvc?view=revision&revision=1581058 Vendor: https://www.debian.org/security/2014/dsa-2886

CVE-2014-0107

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references