Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. This has been corrected in upstream versions 8.0.0-rc10 [1], 7.0.50 [2], and 6.0.39 [3] [1] http://svn.apache.org/viewvc?view=revision&revision=1549528 [2] http://svn.apache.org/viewvc?view=revision&revision=1549529 [3] http://svn.apache.org/viewvc?view=revision&revision=1558828
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1069925]
Statement: This issue did not affect JBoss Web, as shipped with various Red Hat JBoss products. This issue does affect Tomcat 5 as shipped by Red Hat Enterprise Linux 5. The risks in breaking compatibility associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 5. Additionally, note that Red Hat Enterprise Linux 5 is currently in reduced support phase, receiving only Critical security updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/site/support/policy/updates/errata#Production_3_Phase
IssueDescription: It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html
This issue has been addressed in following products: JBEWS 2 for RHEL 5 Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html
This issue has been addressed in following products: JBEWS 2 for RHEL 6 Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html
This issue has been addressed in following products: JBoss Web Server 2.1.0 Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html
tomcat-7.0.52-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.