A security vulnerability known in Java Standard Tag Library (JSTL) allows processing of external entities in untrusted XML documents, in which a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
This vulnerability exposes the XSL extension for XXE(XML External Entity) and RCE(Remote Code Execution) attacks (more information about how XXE attack works can be found here and for RCE attacks you can find more information here). In this post I will show how to prevent this vulnerability in your OpenShift java applications.
NOTE: This vulnerability applies only for the Standard Taglib library until version 1.2.1.
How can I prevent this vulnerability?
You must change the Jakarta Standard taglib to 1.2.3, or use the latest version (1.2.5). If your project uses Maven, then you can add the following:
<dependency>
<groupId>org.jboss.spec</groupId>
<artifactId>jboss-javaee-6.0</artifactId>
<version>1.0.0.Final</version>
<type>pom</type>
<scope>provided</scope>
<exclusions>
<exclusion>
<artifactId>jstl</artifactId>
<groupId>javax.servlet</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-impl</artifactId>
<version>1.2.5</version>
</dependency>
In case you are doing binary downloads, make sure you have added the dependency in your war file inside WEB-INF/lib. Another way to do that is create a module.xml file inside <SRC_DIR>/.openshift/config/modules/javax/servlet/jstl/api/1.2.5 as well as the jar file. Below an example module.xml:
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="javax.servlet.jstl.api" slot="1.2.5">
<resources>
<resource-root path="taglibs-standard-impl-1.2.5.jar"/>
</resources>
</module>
And create a jboss-deployment-structure.xml with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="javax.servlet.jstl.api" slot="1.2.5" />
</dependencies>
</jboss-deployment-structure>
After that, follow the additional configuration according to the Java version you use in the next sections.
Java 6
Add -Dorg.apache.taglibs.standard.xml.accessExternalEntity= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=”
Java 7
Add -Djavax.xml.accessExternalDTD= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”
Java 8
No further steps are necessary, as access to external entities is disabled by default when FEATURE_SECURE_PROCESSING (enabled by this patch) is active. If access to external resources is required then -Djavax.xml.accessExternalDTD=all may be used to avoid application breakage.
Note: The java options outlined above defines which external resources may be made available. With no entries following the = character this disables external access. In addition, not all Java applications honor JAVA_OPTS; consult the documentation of your middleware container to determine how to set additional JVM system properties.
See this Oracle article for an additional information on possible values of -Djavax.xml.accessExternalDTD: New properties tutorial
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”
À propos de l'auteur
Ricardo has been a senior software engineer for Red Hat cloud products since 2015, participating in key open source projects like RADAnalytics and Open Data Hub for Red Hat, and recently joined the Kubeflow project. His main role is to work with the overall MLOps development through experimentation, automation, and governance aspects.
Plus de résultats similaires
Key considerations for 2026 planning: Insights from IDC
From maintenance to enablement: Making your platform a force-multiplier
Becoming a Coder | Command Line Heroes
Where Coders Code | Command Line Heroes
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Virtualisation
L'avenir de la virtualisation d'entreprise pour vos charges de travail sur site ou sur le cloud
