A security vulnerability known in Java Standard Tag Library (JSTL) allows processing of external entities in untrusted XML documents, in which a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
This vulnerability exposes the XSL extension for XXE(XML External Entity) and RCE(Remote Code Execution) attacks (more information about how XXE attack works can be found here and for RCE attacks you can find more information here). In this post I will show how to prevent this vulnerability in your OpenShift java applications.
NOTE: This vulnerability applies only for the Standard Taglib library until version 1.2.1.
How can I prevent this vulnerability?
You must change the Jakarta Standard taglib to 1.2.3, or use the latest version (1.2.5). If your project uses Maven, then you can add the following:
<dependency>
<groupId>org.jboss.spec</groupId>
<artifactId>jboss-javaee-6.0</artifactId>
<version>1.0.0.Final</version>
<type>pom</type>
<scope>provided</scope>
<exclusions>
<exclusion>
<artifactId>jstl</artifactId>
<groupId>javax.servlet</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-impl</artifactId>
<version>1.2.5</version>
</dependency>
In case you are doing binary downloads, make sure you have added the dependency in your war file inside WEB-INF/lib. Another way to do that is create a module.xml file inside <SRC_DIR>/.openshift/config/modules/javax/servlet/jstl/api/1.2.5 as well as the jar file. Below an example module.xml:
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="javax.servlet.jstl.api" slot="1.2.5">
<resources>
<resource-root path="taglibs-standard-impl-1.2.5.jar"/>
</resources>
</module>
And create a jboss-deployment-structure.xml with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="javax.servlet.jstl.api" slot="1.2.5" />
</dependencies>
</jboss-deployment-structure>
After that, follow the additional configuration according to the Java version you use in the next sections.
Java 6
Add -Dorg.apache.taglibs.standard.xml.accessExternalEntity= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=”
Java 7
Add -Djavax.xml.accessExternalDTD= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”
Java 8
No further steps are necessary, as access to external entities is disabled by default when FEATURE_SECURE_PROCESSING (enabled by this patch) is active. If access to external resources is required then -Djavax.xml.accessExternalDTD=all may be used to avoid application breakage.
Note: The java options outlined above defines which external resources may be made available. With no entries following the = character this disables external access. In addition, not all Java applications honor JAVA_OPTS; consult the documentation of your middleware container to determine how to set additional JVM system properties.
See this Oracle article for an additional information on possible values of -Djavax.xml.accessExternalDTD: New properties tutorial
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”
Sull'autore
Ricardo has been a senior software engineer for Red Hat cloud products since 2015, participating in key open source projects like RADAnalytics and Open Data Hub for Red Hat, and recently joined the Kubeflow project. His main role is to work with the overall MLOps development through experimentation, automation, and governance aspects.
Altri risultati simili a questo
Red Hat to acquire Chatterbox Labs: Frequently Asked Questions
RPM and DNF features and enhancements in Red Hat Enterprise Linux 10.1
Rolling with the Punches | Compiler: Tales From The Database
The Truth About Netcode | Compiler
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Virtualizzazione
Il futuro della virtualizzazione negli ambienti aziendali per i carichi di lavoro on premise o nel cloud
