A poison null byte flaw was found in the implementation of the DiskFileItem class. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is permitted by the user running the application server process.
The Apache Tomcat team does not agree that this is a valid security flaw; they contend that an application performing untrusted deserialization is inherently insecure. However, the issue has been fixed as a code cleanup in this commit: http://svn.apache.org/viewvc?view=revision&revision=1470435
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:1194 https://rhn.redhat.com/errata/RHSA-2013-1194.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 JBEAP 6 for RHEL 6 Via RHSA-2013:1193 https://rhn.redhat.com/errata/RHSA-2013-1193.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.0.0 Via RHSA-2013:1265 https://rhn.redhat.com/errata/RHSA-2013-1265.html
Statement: This issue did not affect the versions of Tomcat as shipped with Red Hat Enterprise Linux 5, 6 and 7; and Red Hat JBoss Web Server 1 and 2. This issue did not affect the versions of JBoss Web as shipped with Red Hat JBoss BRMS 5; Red Hat JBoss Data Grid 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss Operations Network 3; Red Hat JBoss Portal Platform 5; Red Hat JBoss SOA Platform 4 and 5; and Red Hat JBoss Web Platform 5.
*** Bug 1140314 has been marked as a duplicate of this bug. ***
Upstream Fix: http://svn.apache.org/viewvc?view=revision&revision=1470435 Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2013/2185.yaml