Security Update 05-04-2009
Malicious Java Code Execution Vulnerability in Xalan Extensions
Hannon Hill rates the severity of this vulnerability
Moderate-High as it can be detrimental to the integrity of Cascade
and to the host machine running Cascade. It is mitigated by using
strict ACLs in versions of Cascade prior to 5.7.3 and via system
preferences in versions 5.7.4, 6.0 and later.
A security vulnerability was identified and has been addressed
that allows users with the ability to create or edit XSLT Formats
to execute Java code via a Xalan extension using any of the
libraries available to the Cascade application itself. Using this
vulnerability, an attacker with user access to Cascade could:
* Read or write files to the host file system. * Shutdown Cascade by calling a static system shutdown method * Execute a multitude of other privileged system commands * Read the contents of the context.xml on the local file system to obtain access credentials to the database server
If it is determined that there is high enough risk to warrant
disabling Xalan Java extensions there are a few ways to go about
Cascade 5.7.3 and Earlier
In versions prior to Cascade 5.7.4, ACLs can be used to prevent non-privileged users from accessing or editing XSLT Formats. XSLT Formats should be isolated from non-privileged users to disallow copying and subsequent editing of the copied assets. The creation of Asset Factories used to create XSLT Formats should disabled by disallowing write access to Asset Factory Containers for non-privileged users.
The Cascade process should be run as an non-privileged user on
the host system to limit access to the host system. The Cascade
database should be connected to with a user with limited access to
the database server (e.g. not the 'root' user in MySQL or the 'sa'
user in SQL Server)
Cascade 5.7.4 and 6.0
In versions 5.7.4 and 6.0, a preference was added that will
libraries. This is a all-or-nothing method of disabling extensions
in XSLT Formats.
Cascade 126.96.36.199 and 6.0.1
In versions 188.8.131.52 and 6.0.1, the preference introduced in
5.7.4 and 6.0 was split into two separate preferences: one that
These preferences allow Administrators to disable Java and
pose a risk to the host environment as the libraries available to
the writer cannot access the host file system or execute queries
against the database. EXSLT extensions are always enabled in these
versions of Cascade as they too pose no threat.
This vulnerability exists for all XSLT Formats in the system as
any can contain and subsequently execute Xalan Java extension when
applied to a page, page configuration, or template region.
There is no fix for this vulnerability; however, there are options available to Administrators that allows them to disable Xalan Java extensions and remove the risk entirely. These methods are outlined in the Risk Mitigation section.