Bug 1069911 (CVE-2013-4590)
Summary: | CVE-2013-4590 tomcat: information disclosure via XXE when running untrusted web applications | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aneelica, anil.saldhana, asantos, bdawidow, ccoleman, cdewolf, chazlett, chuffman, dknox, dmasirka, dmcphers, drieden, epp-bugs, fnasser, hfnukal, huwang, ivan.afonichev, java-sig-commits, jawilson, jcoleman, jdg-bugs, jialiu, jkurik, jpallich, jrusnack, kconner, krzysztof.daniel, lgao, lkocman, lmeyer, mjc, mmcgrath, myarboro, nobody+bgollahe, pcheung, pfrields, pgier, pslavice, rhq-maint, rsvoboda, security-response-team, soa-p-jira, spinder, theute, ttarrant, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tomcat 7.0.50, tomcat 6.0.39, tomcat 8.0.0-rc10 | Doc Type: | Bug Fix |
Doc Text: |
It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-01-17 06:04:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1069925, 1072511, 1072516, 1076002, 1076003, 1076004, 1076005, 1076006, 1080308, 1094668 | ||
Bug Blocks: | 1064757, 1069924, 1072200, 1072796, 1079808, 1109261 |
Description
Vincent Danen
2014-02-25 22:15:41 UTC
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1069925] Statement: This issue did not affect JBoss Web, as shipped with various Red Hat JBoss products. This issue does affect Tomcat 5 as shipped by Red Hat Enterprise Linux 5. The risks in breaking compatibility associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 5. Additionally, note that Red Hat Enterprise Linux 5 is currently in reduced support phase, receiving only Critical security updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/site/support/policy/updates/errata#Production_3_Phase IssueDescription: It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html This issue has been addressed in following products: JBEWS 2 for RHEL 5 Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html This issue has been addressed in following products: JBEWS 2 for RHEL 6 Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html This issue has been addressed in following products: JBoss Web Server 2.1.0 Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html tomcat-7.0.52-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |