JVNDB-2014-002143

JVNDB-2014-002143
Apache Xalan-Java �ｽ�ｽ TransformerFactory �ｽﾉゑｿｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽﾒゑｿｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽﾆ弱性
�ｽT�ｽv
Apache Xalan-Java �ｽ�ｽ TransformerFactory �ｽﾍ、FEATURE_SECURE_PROCESSING �ｽ�ｽ�ｽL�ｽ�ｽ�ｽﾈ場合�ｽA�ｽ�ｽ�ｽ�ｽﾌプ�ｽ�ｽ�ｽp�ｽe�ｽB�ｽ�ｽK�ｽﾘに撰ｿｽ�ｽ�ｽ�ｽ�ｽ�ｽﾈゑｿｽ�ｽ�ｽ�ｽﾟ、�ｽ�ｽ�ｽﾒゑｿｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽA�ｽC�ｽﾓのク�ｽ�ｽ�ｽX�ｽ�ｽ�ｽ�ｽ�ｽ[�ｽh�ｽ�ｽ�ｽ�ｽ�ｽA�ｽﾜゑｿｽ�ｽﾍ外�ｽ�ｽ�ｽ�ｽ�ｽ\�ｽ[�ｽX�ｽﾉア�ｽN�ｽZ�ｽX�ｽ�ｽ�ｽ�ｽ�ｽﾆ弱性�ｽ�ｽ�ｽ�ｽ�ｽﾝゑｿｽ�ｽﾜゑｿｽ�ｽB
CVSS �ｽﾉゑｿｽ�ｽ[�ｽ�ｽ�ｽx (CVSS �ｽﾆゑｿｽ?)
CVSS v2 �ｽﾉゑｿｽ�ｽ[�ｽ�ｽ�ｽx �ｽ�ｽ{�ｽl: 7.5 (�ｽ�ｯ) [NVD�ｽl] �ｽU�ｽ�ｽ�ｽ�ｽ�ｽ謨ｪ: �ｽl�ｽb�ｽg�ｽ�ｽ�ｽ[�ｽN �ｽU�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽﾌ包ｿｽ�ｽG�ｽ�ｽ: �ｽ�ｽ �ｽU�ｽ�ｽ�ｽO�ｽﾌ認�ｽﾘ要�ｽ�ｽ: �ｽs�ｽv �ｽ@�ｽ�ｽ�ｽ�ｽ�ｽﾖの影�ｽ�ｽ(C): �ｽ�ｽ�ｽ�ｽ�ｽI �ｽ�ｽ�ｽS�ｽ�ｽ�ｽﾖの影�ｽ�ｽ(I): �ｽ�ｽ�ｽ�ｽ�ｽI �ｽﾂ用�ｽ�ｽ�ｽﾖの影�ｽ�ｽ(A): �ｽ�ｽ�ｽ�ｽ�ｽI
�ｽe�ｽ�ｽ�ｽ�ｽ�ｽｯゑｿｽV�ｽX�ｽe�ｽ�ｽ

Apache Software Foundation Xalan-Java 2.7.2 �ｽ�ｽ�ｽ�ｽ IBM IBM Security QRadar SIEM 7.1 MR2 IBM Security QRadar SIEM 7.2 MR2 IBM Sterling B2B Integrator 5.1 IBM Sterling Control Center 5.2.01 �ｽ�ｽ�ｽ�ｽ 5.2.11 IBM Sterling File Gateway 2.1 �ｽI�ｽ�ｽ�ｽN�ｽ�ｽ Oracle Fusion Middleware �ｽ�ｽ Oracle WebCenter Sites 11.1.1.8.0 Oracle Fusion Middleware �ｽ�ｽ Oracle WebCenter Sites 7.6.2 Oracle Fusion Middleware �ｽ�ｽ Oracle WebLogic Server 10.3.6 Oracle Fusion Middleware �ｽ�ｽ Oracle WebLogic Server 12.1.2 Oracle Fusion Middleware �ｽ�ｽ Oracle WebLogic Server 12.1.3 �ｽ�ｽ�ｽ�ｽ Cosminexus XML Processor Hitachi Infrastructure Analytics Advisor uCosminexus Application Server -R uCosminexus Application Server Express uCosminexus Application Server Light uCosminexus Application Server Enterprise uCosminexus Application Server Smart Edition uCosminexus Application Server Standard uCosminexus Application Server Standard -R uCosminexus Client uCosminexus Client for Plug-in uCosminexus Developer 01 uCosminexus Developer Professional uCosminexus Developer Professional for Plug-in uCosminexus Developer Light uCosminexus Developer Standard uCosminexus Operator uCosminexus Primary Server Base uCosminexus Server Standard-R uCosminexus Service Architect uCosminexus Service Platform uCosminexus Service Platform - Messaging
�ｽ{�ｽﾆ弱性�ｽﾌ影�ｽ�ｽ�ｽ�ｽ�ｽｯる製�ｽi�ｽﾌ詳細につゑｿｽ�ｽﾄは、�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽm�ｽF�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽB
�ｽz�ｽ閧ｳ�ｽ�ｽ�ｽe�ｽ�ｽ
�ｽ�ｽO�ｽﾒにゑｿｽ�ｽA�ｽI�ｽ�ｽ�ｽﾉ細工�ｽ�ｽ�ｽ黷ｽ�ｽﾈ会ｿｽ�ｽﾌプ�ｽ�ｽ�ｽp�ｽe�ｽB�ｽA�ｽﾜゑｿｽ�ｽ�ｽ XSLT 1.0 �ｽ�ｽ system-property �ｽﾖ撰ｿｽ�ｽﾉバ�ｽC�ｽ�ｽ�ｽh�ｽ�ｽ�ｽ黷ｽ Java �ｽv�ｽ�ｽ�ｽp�ｽe�ｽB�ｽ�ｽ�ｽ薰ｵ�ｽﾄ、�ｽ�ｽ�ｽﾒゑｿｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽA�ｽC�ｽﾓのク�ｽ�ｽ�ｽX�ｽ�ｽ�ｽ�ｽ�ｽ[�ｽh�ｽ�ｽ�ｽ�ｽ�ｽA�ｽﾜゑｿｽ�ｽﾍ外�ｽ�ｽ�ｽ�ｽ�ｽ\�ｽ[�ｽX�ｽﾉア�ｽN�ｽZ�ｽX�ｽ�ｽ�ｽ�ｽ�ｽﾂ能�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽﾜゑｿｽ�ｽB (1) xalan:content-header �ｽv�ｽ�ｽ�ｽp�ｽe�ｽB (2) xalan:entities �ｽv�ｽ�ｽ�ｽp�ｽe�ｽB (3) xslt:content-header �ｽv�ｽ�ｽ�ｽp�ｽe�ｽB (4) xslt:entities �ｽv�ｽ�ｽ�ｽp�ｽe�ｽB
�ｽﾎ搾ｿｽ
�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ關ｳ�ｽ�ｽ�ｽﾈ対策が鯉ｿｽ�ｽJ�ｽ�ｽ�ｽ�ｽﾄゑｿｽ�ｽﾜゑｿｽ�ｽB�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽ�ｽ�ｽQ�ｽﾆゑｿｽ�ｽﾄ適�ｽﾘな対搾ｿｽ�ｽ�ｽ�ｽ�ｽ{�ｽ�ｽ�ｽﾄゑｿｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽB
�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽ
Apache Software Foundation Apache : [XALANJ-2435] Use of secure processing feature should disable some output properties Apache-SVN : Revision 1581058 IBM IBM Support Document : 1677145 IBM Support Document : 1681933 IBM Support Document : 1680703 �ｽI�ｽ�ｽ�ｽN�ｽ�ｽ Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - January 2016 Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices SECURITY BLOG : January 2016 Critical Patch Update Released �ｽ�ｽ�ｽb�ｽh�ｽn�ｽb�ｽg Red Hat Security Advisory : RHSA-2014:1351 �ｽ�ｽ�ｽ�ｽ Hitachi Software Vulnerability Information : hitachi-sec-2017-113 Hitachi Software Vulnerability Information : hitachi-sec-2019-108 �ｽ\�ｽt�ｽg�ｽE�ｽF�ｽA�ｽ�ｽ�ｽi�ｽZ�ｽL�ｽ�ｽ�ｽ�ｽ�ｽe�ｽB�ｽ�ｽ�ｽ : hitachi-sec-2017-113 �ｽ\�ｽt�ｽg�ｽE�ｽF�ｽA�ｽ�ｽ�ｽi�ｽZ�ｽL�ｽ�ｽ�ｽ�ｽ�ｽe�ｽB�ｽ�ｽ�ｽ : hitachi-sec-2019-108
CWE�ｽﾉゑｿｽ�ｽﾆ弱性�ｽ^�ｽC�ｽv�ｽ齬� CWE�ｽﾆゑｿｽ?
�ｽF�ｽﾂ・�ｽ�ｽ�ｽ�ｽ�ｽE�ｽA�ｽN�ｽZ�ｽX�ｽ�ｽ�ｽ�ｽ(CWE-264) [NVD�ｽ]�ｽ�ｽ]
�ｽ�ｽ�ｽﾊ脆弱性�ｽ�ｽ�ｽﾊ子(CVE) CVE�ｽﾆゑｿｽ?
CVE-2014-0107
�ｽQ�ｽl�ｽ�ｽ�ｽ
National Vulnerability Database (NVD) : CVE-2014-0107 �ｽﾖ連�ｽ�ｽ�ｽ�ｽ : #2014-002 Xalan-Java insufficient secure processing
�ｽX�ｽV�ｽ�ｽ�ｽ�ｽ
[2014�ｽN04�ｽ�ｽ21�ｽ�ｽ] �ｽf�ｽ�ｽ [2014�ｽN08�ｽ�ｽ06�ｽ�ｽ] �ｽe�ｽ�ｽ�ｽ�ｽ�ｽｯゑｿｽV�ｽX�ｽe�ｽ�ｽ�ｽF�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽﾌ追会ｿｽ�ｽﾉ費ｿｽ�ｽ�ｽ�ｽ�ｽ�ｽe�ｽ�ｽ�ｽX�ｽV �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽFIBM (1677145) �ｽ�ｽﾇ会ｿｽ [2014�ｽN09�ｽ�ｽ09�ｽ�ｽ] �ｽe�ｽ�ｽ�ｽ�ｽ�ｽｯゑｿｽV�ｽX�ｽe�ｽ�ｽ�ｽF�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽﾌ追会ｿｽ�ｽﾉ費ｿｽ�ｽ�ｽ�ｽ�ｽ�ｽe�ｽ�ｽ�ｽX�ｽV �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽFIBM (1681933) �ｽ�ｽﾇ会ｿｽ �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽFIBM (1680703) �ｽ�ｽﾇ会ｿｽ [2014�ｽN10�ｽ�ｽ30�ｽ�ｽ] �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽF�ｽ�ｽ�ｽb�ｽh�ｽn�ｽb�ｽg (RHSA-2014:1351) �ｽ�ｽﾇ会ｿｽ [2016�ｽN01�ｽ�ｽ28�ｽ�ｽ] �ｽe�ｽ�ｽ�ｽ�ｽ�ｽｯゑｿｽV�ｽX�ｽe�ｽ�ｽ�ｽF�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽﾌ追会ｿｽ�ｽﾉ費ｿｽ�ｽ�ｽ�ｽ�ｽ�ｽe�ｽ�ｽ�ｽX�ｽV �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽF�ｽI�ｽ�ｽ�ｽN�ｽ�ｽ (Oracle Critical Patch Update Advisory - January 2016) �ｽ�ｽﾇ会ｿｽ �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽF�ｽI�ｽ�ｽ�ｽN�ｽ�ｽ (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) �ｽ�ｽﾇ会ｿｽ �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽF�ｽI�ｽ�ｽ�ｽN�ｽ�ｽ (January 2016 Critical Patch Update Released) �ｽ�ｽﾇ会ｿｽ [2017�ｽN05�ｽ�ｽ16�ｽ�ｽ] �ｽe�ｽ�ｽ�ｽ�ｽ�ｽｯゑｿｽV�ｽX�ｽe�ｽ�ｽ�ｽF�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽﾌ追会ｿｽ�ｽﾉ費ｿｽ�ｽ�ｽ�ｽ�ｽ�ｽe�ｽ�ｽ�ｽX�ｽV �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽF�ｽ�ｽ�ｽ�ｽ (hitachi-sec-2017-113) �ｽ�ｽﾇ会ｿｽ [2019�ｽN04�ｽ�ｽ16�ｽ�ｽ] �ｽe�ｽ�ｽ�ｽ�ｽ�ｽｯゑｿｽV�ｽX�ｽe�ｽ�ｽ�ｽF�ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽﾌ追会ｿｽ�ｽﾉ費ｿｽ�ｽ�ｽ�ｽ�ｽ�ｽe�ｽ�ｽ�ｽX�ｽV �ｽx�ｽ�ｽ�ｽ_�ｽ�ｽ�ｽF�ｽ�ｽ�ｽ�ｽ (hitachi-sec-2019-108) �ｽ�ｽﾇ会ｿｽ


�ｽ�ｽ�ｽ\�ｽ�ｽ	2014/03/25
�ｽo�ｽ^�ｽ�ｽ	2014/04/21
�ｽﾅ終�ｽX�ｽV�ｽ�ｽ	2019/04/16

Apache Xalan-Java �ｽ�ｽ TransformerFactory �ｽﾉゑｿｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽﾒゑｿｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽ�ｽﾆ弱性