Security Update 05-04-2009
Malicious Java Code Execution Vulnerability in Xalan Extensions
Severity: Moderate-High
Hannon Hill rates the severity of this vulnerability
Moderate-High as it can be detrimental to the integrity of Cascade
and to the host machine running Cascade. It is mitigated by using
strict ACLs in versions of Cascade prior to 5.7.3 and via system
preferences in versions 5.7.4, 6.0 and later.
Risk Assessment
A security vulnerability was identified and has been addressed
that allows users with the ability to create or edit XSLT Formats
to execute Java code via a Xalan extension using any of the
libraries available to the Cascade application itself. Using this
vulnerability, an attacker with user access to Cascade could:
* Read or write files to the host file system. * Shutdown Cascade
by calling a static system shutdown method * Execute a multitude of
other privileged system commands * Read the contents of the
context.xml on the local file system to obtain access credentials
to the database server
Risk Mitigation
If it is determined that there is high enough risk to warrant
disabling Xalan Java extensions there are a few ways to go about
disabling them.
Cascade 5.7.3 and Earlier
In versions prior to Cascade 5.7.4, ACLs can be used to prevent non-privileged users from accessing or editing XSLT Formats. XSLT Formats should be isolated from non-privileged users to disallow copying and subsequent editing of the copied assets. The creation of Asset Factories used to create XSLT Formats should disabled by disallowing write access to Asset Factory Containers for non-privileged users.
The Cascade process should be run as an non-privileged user on
the host system to limit access to the host system. The Cascade
database should be connected to with a user with limited access to
the database server (e.g. not the 'root' user in MySQL or the 'sa'
user in SQL Server)
Cascade 5.7.4 and 6.0
In versions 5.7.4 and 6.0, a preference was added that will
disable ALL Xalan extensions including JavaScript, Java, and EXSLT
libraries. This is a all-or-nothing method of disabling extensions
in XSLT Formats.
Cascade 5.7.4.1 and 6.0.1
In versions 5.7.4.1 and 6.0.1, the preference introduced in
5.7.4 and 6.0 was split into two separate preferences: one that
governs JavaScript extensions and one that governs Java extensions.
These preferences allow Administrators to disable Java and
JavaScript extensions individually. JavaScript extensions do not
pose a risk to the host environment as the libraries available to
the writer cannot access the host file system or execute queries
against the database. EXSLT extensions are always enabled in these
versions of Cascade as they too pose no threat.
Vulnerability
This vulnerability exists for all XSLT Formats in the system as
any can contain and subsequently execute Xalan Java extension when
applied to a page, page configuration, or template region.
Fix
There is no fix for this vulnerability; however, there are options available to Administrators that allows them to disable Xalan Java extensions and remove the risk entirely. These methods are outlined in the Risk Mitigation section.