Bug 1102038 (CVE-2014-0119)

Summary: CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anil.saldhana, bdawidow, ccoleman, cdewolf, chazlett, chuffman, darran.lofthouse, dmcphers, drieden, epp-bugs, erich, fnasser, grocha, huwang, ivan.afonichev, jawilson, jclere, jcoleman, jdg-bugs, jdoyle, jialiu, jkurik, jokerman, jpallich, kconner, kejohnso, krzysztof.daniel, lgao, lmeyer, mmccomas, mmcgrath, mmiura, mweiler, myarboro, nobody+bgollahe, ohudlick, pgier, pslavice, rhq-maint, rsvoboda, soa-p-jira, spinder, theute, ttarrant, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20140527,reported=20140527,source=internet,cvss2=2.1/AV:N/AC:H/Au:S/C:P/I:N/A:N,cwe=CWE-470,fedora-all/tomcat=affected,jbews-1/tomcat5=wontfix,jbews-1/tomcat6=wontfix,jbews-2/tomcat6=affected,jbews-2/tomcat7=affected,rhel-5/tomcat5=wontfix,rhel-6/tomcat6=affected,rhel-7/tomcat=affected,dts-2.0/devtoolset-2-tomcat=notaffected,bpms-6/jbossweb=affected,brms-6/jbossweb=affected,eap-6/jbossweb=affected,eap-5/jbossweb=wontfix,fsw-6/jbossweb=affected,jboss/others=wontfix,jdg-6/jbossweb=affected,jdv-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected
Fixed In Version: tomcat 7.0.54, tomcat 6.0.41, jbossweb 7.4.7.Final Doc Type: Bug Fix
Doc Text:
It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:33:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1109005, 1102182, 1102184, 1102186, 1102188, 1102190, 1102192, 1108995, 1108996, 1108997, 1108998, 1108999, 1109000, 1109001, 1109002, 1109004, 1109006, 1109007, 1109008, 1109009, 1109013, 1109014, 1109474, 1109475, 1113339, 1160690    
Bug Blocks: 1064757, 1082938, 1097027, 1102039, 1103878, 1108465, 1109261, 1109262, 1181883, 1182400, 1182419, 1200191    

Description Arun Babu Neelicattu 2014-05-28 11:28:16 UTC
It was found that in limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.

Comment 6 Arun Babu Neelicattu 2014-06-13 06:03:02 UTC
JBoss Web includes fix in 7.4.7.Final. Fixed by [1, 2].

[1] https://source.jboss.org/changelog/JBossWeb?cs=2427
[2] https://source.jboss.org/changelog/JBossWeb?cs=2460

Comment 15 errata-xmlrpc 2014-07-07 14:50:21 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0843 https://rhn.redhat.com/errata/RHSA-2014-0843.html

Comment 16 errata-xmlrpc 2014-07-07 14:51:19 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0842 https://rhn.redhat.com/errata/RHSA-2014-0842.html

Comment 17 errata-xmlrpc 2014-07-16 17:13:19 UTC
This issue has been addressed in following products:

  JBoss Data Grid 6.3.0

Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html

Comment 18 Martin Prpič 2014-07-17 14:36:01 UTC
IssueDescription:

It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.

Comment 20 errata-xmlrpc 2014-08-07 18:23:50 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1034 https://rhn.redhat.com/errata/RHSA-2014-1034.html

Comment 21 errata-xmlrpc 2014-08-11 16:46:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html

Comment 22 errata-xmlrpc 2014-08-21 15:31:19 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html

Comment 23 errata-xmlrpc 2014-08-21 15:32:03 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html

Comment 24 errata-xmlrpc 2014-08-21 15:32:31 UTC
This issue has been addressed in following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html

Comment 30 errata-xmlrpc 2015-02-17 22:28:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 31 errata-xmlrpc 2015-02-17 22:32:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Comment 33 errata-xmlrpc 2015-03-11 16:52:50 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 34 errata-xmlrpc 2015-03-24 21:06:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html

Comment 35 errata-xmlrpc 2015-03-31 17:01:34 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html

Comment 36 errata-xmlrpc 2015-05-14 15:19:13 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html