A security vulnerability known in Java Standard Tag Library (JSTL) allows processing of external entities in untrusted XML documents, in which a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
This vulnerability exposes the XSL extension for XXE(XML External Entity) and RCE(Remote Code Execution) attacks (more information about how XXE attack works can be found here and for RCE attacks you can find more information here). In this post I will show how to prevent this vulnerability in your OpenShift java applications.
NOTE: This vulnerability applies only for the Standard Taglib library until version 1.2.1.
How can I prevent this vulnerability?
You must change the Jakarta Standard taglib to 1.2.3, or use the latest version (1.2.5). If your project uses Maven, then you can add the following:
<dependency>
<groupId>org.jboss.spec</groupId>
<artifactId>jboss-javaee-6.0</artifactId>
<version>1.0.0.Final</version>
<type>pom</type>
<scope>provided</scope>
<exclusions>
<exclusion>
<artifactId>jstl</artifactId>
<groupId>javax.servlet</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-impl</artifactId>
<version>1.2.5</version>
</dependency>
In case you are doing binary downloads, make sure you have added the dependency in your war file inside WEB-INF/lib. Another way to do that is create a module.xml file inside <SRC_DIR>/.openshift/config/modules/javax/servlet/jstl/api/1.2.5 as well as the jar file. Below an example module.xml:
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="javax.servlet.jstl.api" slot="1.2.5">
<resources>
<resource-root path="taglibs-standard-impl-1.2.5.jar"/>
</resources>
</module>
And create a jboss-deployment-structure.xml with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="javax.servlet.jstl.api" slot="1.2.5" />
</dependencies>
</jboss-deployment-structure>
After that, follow the additional configuration according to the Java version you use in the next sections.
Java 6
Add -Dorg.apache.taglibs.standard.xml.accessExternalEntity= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=”
Java 7
Add -Djavax.xml.accessExternalDTD= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”
Java 8
No further steps are necessary, as access to external entities is disabled by default when FEATURE_SECURE_PROCESSING (enabled by this patch) is active. If access to external resources is required then -Djavax.xml.accessExternalDTD=all may be used to avoid application breakage.
Note: The java options outlined above defines which external resources may be made available. With no entries following the = character this disables external access. In addition, not all Java applications honor JAVA_OPTS; consult the documentation of your middleware container to determine how to set additional JVM system properties.
See this Oracle article for an additional information on possible values of -Djavax.xml.accessExternalDTD: New properties tutorial
To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”
About the author
Ricardo has been a senior software engineer for Red Hat cloud products since 2015, participating in key open source projects like RADAnalytics and Open Data Hub for Red Hat, and recently joined the Kubeflow project. His main role is to work with the overall MLOps development through experimentation, automation, and governance aspects.
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit