Malicious Java Code Execution Vulnerability in Xalan Extensions

Severity: Moderate-High

Hannon Hill rates the severity of this vulnerability Moderate-High as it can be detrimental to the integrity of Cascade and to the host machine running Cascade. It is mitigated by using strict ACLs in versions of Cascade prior to 5.7.3 and via system preferences in versions 5.7.4, 6.0 and later.

Risk Assessment

A security vulnerability was identified and has been addressed that allows users with the ability to create or edit XSLT Formats to execute Java code via a Xalan extension using any of the libraries available to the Cascade application itself. Using this vulnerability, an attacker with user access to Cascade could:
* Read or write files to the host file system. * Shutdown Cascade by calling a static system shutdown method * Execute a multitude of other privileged system commands * Read the contents of the context.xml on the local file system to obtain access credentials to the database server

Risk Mitigation

If it is determined that there is high enough risk to warrant disabling Xalan Java extensions there are a few ways to go about disabling them.

Cascade 5.7.3 and Earlier

In versions prior to Cascade 5.7.4, ACLs can be used to prevent non-privileged users from accessing or editing XSLT Formats. XSLT Formats should be isolated from non-privileged users to disallow copying and subsequent editing of the copied assets. The creation of Asset Factories used to create XSLT Formats should disabled by disallowing write access to Asset Factory Containers for non-privileged users.

The Cascade process should be run as an non-privileged user on the host system to limit access to the host system. The Cascade database should be connected to with a user with limited access to the database server (e.g. not the 'root' user in MySQL or the 'sa' user in SQL Server)

Cascade 5.7.4 and 6.0

In versions 5.7.4 and 6.0, a preference was added that will disable ALL Xalan extensions including JavaScript, Java, and EXSLT libraries. This is a all-or-nothing method of disabling extensions in XSLT Formats.

Cascade 5.7.4.1 and 6.0.1

In versions 5.7.4.1 and 6.0.1, the preference introduced in 5.7.4 and 6.0 was split into two separate preferences: one that governs JavaScript extensions and one that governs Java extensions. These preferences allow Administrators to disable Java and JavaScript extensions individually. JavaScript extensions do not pose a risk to the host environment as the libraries available to the writer cannot access the host file system or execute queries against the database. EXSLT extensions are always enabled in these versions of Cascade as they too pose no threat.

Vulnerability

This vulnerability exists for all XSLT Formats in the system as any can contain and subsequently execute Xalan Java extension when applied to a page, page configuration, or template region.

Fix

There is no fix for this vulnerability; however, there are options available to Administrators that allows them to disable Xalan Java extensions and remove the risk entirely. These methods are outlined in the Risk Mitigation section.