Bug 1069911 (CVE-2013-4590)

Summary: CVE-2013-4590 tomcat: information disclosure via XXE when running untrusted web applications
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aneelica, anil.saldhana, asantos, bdawidow, ccoleman, cdewolf, chazlett, chuffman, dknox, dmasirka, dmcphers, drieden, epp-bugs, fnasser, hfnukal, huwang, ivan.afonichev, java-sig-commits, jawilson, jcoleman, jdg-bugs, jialiu, jkurik, jpallich, jrusnack, kconner, krzysztof.daniel, lgao, lkocman, lmeyer, mjc, mmcgrath, myarboro, nobody+bgollahe, pcheung, pfrields, pgier, pslavice, rhq-maint, rsvoboda, security-response-team, soa-p-jira, spinder, theute, ttarrant, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 7.0.50, tomcat 6.0.39, tomcat 8.0.0-rc10 Doc Type: Bug Fix
Doc Text:
It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-17 06:04:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1069925, 1072511, 1072516, 1076002, 1076003, 1076004, 1076005, 1076006, 1080308, 1094668    
Bug Blocks: 1064757, 1069924, 1072200, 1072796, 1079808, 1109261    

Description Vincent Danen 2014-02-25 22:15:41 UTC 
Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.

This has been corrected in upstream versions 8.0.0-rc10 [1], 7.0.50 [2], and 6.0.39 [3]

[1] http://svn.apache.org/viewvc?view=revision&revision=1549528
[2] http://svn.apache.org/viewvc?view=revision&revision=1549529
[3] http://svn.apache.org/viewvc?view=revision&revision=1558828
Comment 1 Vincent Danen 2014-02-25 23:05:01 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1069925]
Comment 7 David Jorm 2014-03-11 06:06:20 UTC 
Statement:

This issue did not affect JBoss Web, as shipped with various Red Hat JBoss products.

This issue does affect Tomcat 5 as shipped by Red Hat Enterprise Linux 5. The risks in breaking compatibility associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 5. Additionally, note that Red Hat Enterprise Linux 5 is currently in reduced support phase, receiving only Critical security updates.  For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/site/support/policy/updates/errata#Production_3_Phase
Comment 29 Martin Prpič 2014-08-06 11:43:37 UTC 
IssueDescription:

It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.
Comment 30 errata-xmlrpc 2014-08-11 16:46:21 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html
Comment 31 errata-xmlrpc 2014-08-21 15:30:56 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html
Comment 32 errata-xmlrpc 2014-08-21 15:31:58 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html
Comment 33 errata-xmlrpc 2014-08-21 15:32:25 UTC 
This issue has been addressed in following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html
Comment 34 Fedora Update System 2014-09-26 09:02:30 UTC 
tomcat-7.0.52-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.