A security vulnerability known in Java Standard Tag Library (JSTL) allows processing of external entities in untrusted XML documents, in which a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.

This vulnerability exposes the XSL extension for XXE(XML External Entity) and RCE(Remote Code Execution) attacks (more information about how XXE attack works can be found here and for RCE attacks you can find more information here). In this post I will show how to prevent this vulnerability in your OpenShift java applications.

NOTE: This vulnerability applies only for the Standard Taglib library until version 1.2.1.

How can I prevent this vulnerability?

You must change the Jakarta Standard taglib to 1.2.3, or use the latest version (1.2.5). If your project uses Maven, then you can add the following:

<dependency>
<groupId>org.jboss.spec</groupId>
<artifactId>jboss-javaee-6.0</artifactId>
<version>1.0.0.Final</version>
<type>pom</type>
<scope>provided</scope>
<exclusions>
<exclusion>
<artifactId>jstl</artifactId>
<groupId>javax.servlet</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-impl</artifactId>
<version>1.2.5</version>
</dependency>

In case you are doing binary downloads, make sure you have added the dependency in your war file inside WEB-INF/lib. Another way to do that is create a module.xml file inside <SRC_DIR>/.openshift/config/modules/javax/servlet/jstl/api/1.2.5 as well as the jar file. Below an example module.xml:

<?xml version="1.0" encoding="UTF-8"?>

<module xmlns="urn:jboss:module:1.1" name="javax.servlet.jstl.api" slot="1.2.5">

<resources>

<resource-root path="taglibs-standard-impl-1.2.5.jar"/>

</resources>

</module>

And create a jboss-deployment-structure.xml with the following content:

<?xml version="1.0" encoding="UTF-8"?>

<jboss-deployment-structure>

<deployment>

<dependencies>

<module name="javax.servlet.jstl.api" slot="1.2.5" />

</dependencies>

</jboss-deployment-structure>

After that, follow the additional configuration according to the Java version you use in the next sections.

Java 6

Add -Dorg.apache.taglibs.standard.xml.accessExternalEntity= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.

To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Dorg.apache.taglibs.standard.xml.accessExternalEntity=”

Java 7

Add -Djavax.xml.accessExternalDTD= to the JAVA_EXT_OPTS of the middleware container in use; with this flag in place external access is disabled.

To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”

Java 8

No further steps are necessary, as access to external entities is disabled by default when FEATURE_SECURE_PROCESSING (enabled by this patch) is active. If access to external resources is required then -Djavax.xml.accessExternalDTD=all may be used to avoid application breakage.

Note: The java options outlined above defines which external resources may be made available. With no entries following the = character this disables external access. In addition, not all Java applications honor JAVA_OPTS; consult the documentation of your middleware container to determine how to set additional JVM system properties.

See this Oracle article for an additional information on possible values of -Djavax.xml.accessExternalDTD: New properties tutorial

To enable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=all”
To disable all access, you can set the environment variable with the following command:
$ rhc env JAVA_EXT_OPTS=”-Djavax.xml.accessExternalDTD=”