CVE-2014-0107

Name of the Vulnerable Software and Affected Versions Apache Xalan-Java versions prior to 2.7.2

Description The issue allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted xalan:content-header, xalan:entities, xslt:content-header, or xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. This is due to the TransformerFactory not properly restricting access to certain properties when FEATURE SECURE PROCESSING is enabled. The exploitation of this issue can lead to a violation of confidentiality, integrity, and availability of protected information.

Recommendations For Apache Xalan-Java versions prior to 2.7.2, update to version 2.7.2 or later to resolve the issue. As a temporary workaround, consider disabling the FEATURE SECURE PROCESSING feature until a patch is available. Restrict access to the TransformerFactory to minimize the risk of exploitation. Avoid using the xalan:content-header, xalan:entities, xslt:content-header, and xslt:entities properties in the affected API endpoints until the issue is resolved.