Bug 1102038 (CVE-2014-0119)
| Summary: | CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anil.saldhana, bdawidow, ccoleman, cdewolf, chazlett, chuffman, darran.lofthouse, dmcphers, drieden, epp-bugs, erich, fnasser, grocha, huwang, ivan.afonichev, jawilson, jclere, jcoleman, jdg-bugs, jdoyle, jialiu, jkurik, jokerman, jpallich, kconner, kejohnso, krzysztof.daniel, lgao, lmeyer, mmccomas, mmcgrath, mmiura, mweiler, myarboro, nobody+bgollahe, ohudlick, pgier, pslavice, rhq-maint, rsvoboda, soa-p-jira, spinder, theute, ttarrant, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 7.0.54, tomcat 6.0.41, jbossweb 7.4.7.Final | Doc Type: | Bug Fix |
| Doc Text: |
It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:33:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1109005, 1102182, 1102184, 1102186, 1102188, 1102190, 1102192, 1108995, 1108996, 1108997, 1108998, 1108999, 1109000, 1109001, 1109002, 1109004, 1109006, 1109007, 1109008, 1109009, 1109013, 1109014, 1109474, 1109475, 1113339, 1160690 | ||
| Bug Blocks: | 1064757, 1082938, 1097027, 1102039, 1103878, 1108465, 1109261, 1109262, 1181883, 1182400, 1182419, 1200191 | ||
|
Description
Arun Babu Neelicattu
2014-05-28 11:28:16 UTC
Tomcat 6 fix (3 patches): http://svn.apache.org/viewvc?view=revision&revision=1589640 http://svn.apache.org/viewvc?view=revision&revision=1593815 http://svn.apache.org/viewvc?view=revision&revision=1593821 Tomcat 7 fix (4 patches): http://svn.apache.org/viewvc?view=revision&revision=1588199 http://svn.apache.org/viewvc?view=revision&revision=1589997 http://svn.apache.org/viewvc?view=revision&revision=1590028 http://svn.apache.org/viewvc?view=revision&revision=1590036 JBoss Web includes fix in 7.4.7.Final. Fixed by [1, 2]. [1] https://source.jboss.org/changelog/JBossWeb?cs=2427 [2] https://source.jboss.org/changelog/JBossWeb?cs=2460 This issue has been addressed in following products: JBEAP 6.2 for RHEL 6 JBEAP 6.2 for RHEL 5 Via RHSA-2014:0843 https://rhn.redhat.com/errata/RHSA-2014-0843.html This issue has been addressed in following products: JBoss Enterprise Application Platform 6.2.4 Via RHSA-2014:0842 https://rhn.redhat.com/errata/RHSA-2014-0842.html This issue has been addressed in following products: JBoss Data Grid 6.3.0 Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html IssueDescription: It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance. This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1034 https://rhn.redhat.com/errata/RHSA-2014-1034.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html This issue has been addressed in following products: JBEWS 2 for RHEL 5 Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html This issue has been addressed in following products: JBEWS 2 for RHEL 6 Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html This issue has been addressed in following products: JBoss Web Server 2.1.0 Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html |