Bug 1069911 (CVE-2013-4590) - CVE-2013-4590 tomcat: information disclosure via XXE when running untrusted web applications
Summary: CVE-2013-4590 tomcat: information disclosure via XXE when running untrusted w...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4590
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1069925 1072511 1072516 1076002 1076003 1076004 1076005 1076006 1080308 1094668
Blocks: 1064757 1069924 1072200 1072796 1079808 1109261
TreeView+ depends on / blocked
 
Reported: 2014-02-25 22:15 UTC by Vincent Danen
Modified: 2021-02-17 06:49 UTC (History)
47 users (show)

Fixed In Version: tomcat 7.0.50, tomcat 6.0.39, tomcat 8.0.0-rc10
Doc Type: Bug Fix
Doc Text:
It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.
Clone Of:
Environment:
Last Closed: 2015-01-17 06:04:02 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1038 0 normal SHIPPED_LIVE Low: tomcat6 security update 2014-08-11 20:44:40 UTC
Red Hat Product Errata RHSA-2014:1086 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:30:27 UTC
Red Hat Product Errata RHSA-2014:1087 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:44 UTC
Red Hat Product Errata RHSA-2014:1088 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:14 UTC

Description Vincent Danen 2014-02-25 22:15:41 UTC
Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.

This has been corrected in upstream versions 8.0.0-rc10 [1], 7.0.50 [2], and 6.0.39 [3]

[1] http://svn.apache.org/viewvc?view=revision&revision=1549528
[2] http://svn.apache.org/viewvc?view=revision&revision=1549529
[3] http://svn.apache.org/viewvc?view=revision&revision=1558828

Comment 1 Vincent Danen 2014-02-25 23:05:01 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1069925]

Comment 7 David Jorm 2014-03-11 06:06:20 UTC
Statement:

This issue did not affect JBoss Web, as shipped with various Red Hat JBoss products.

This issue does affect Tomcat 5 as shipped by Red Hat Enterprise Linux 5. The risks in breaking compatibility associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 5. Additionally, note that Red Hat Enterprise Linux 5 is currently in reduced support phase, receiving only Critical security updates.  For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/site/support/policy/updates/errata#Production_3_Phase

Comment 29 Martin Prpič 2014-08-06 11:43:37 UTC
IssueDescription:

It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.

Comment 30 errata-xmlrpc 2014-08-11 16:46:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html

Comment 31 errata-xmlrpc 2014-08-21 15:30:56 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html

Comment 32 errata-xmlrpc 2014-08-21 15:31:58 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html

Comment 33 errata-xmlrpc 2014-08-21 15:32:25 UTC
This issue has been addressed in following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html

Comment 34 Fedora Update System 2014-09-26 09:02:30 UTC
tomcat-7.0.52-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.