It was found that in limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.
Tomcat 6 fix (3 patches): http://svn.apache.org/viewvc?view=revision&revision=1589640 http://svn.apache.org/viewvc?view=revision&revision=1593815 http://svn.apache.org/viewvc?view=revision&revision=1593821 Tomcat 7 fix (4 patches): http://svn.apache.org/viewvc?view=revision&revision=1588199 http://svn.apache.org/viewvc?view=revision&revision=1589997 http://svn.apache.org/viewvc?view=revision&revision=1590028 http://svn.apache.org/viewvc?view=revision&revision=1590036
JBoss Web includes fix in 7.4.7.Final. Fixed by [1, 2]. [1] https://source.jboss.org/changelog/JBossWeb?cs=2427 [2] https://source.jboss.org/changelog/JBossWeb?cs=2460
This issue has been addressed in following products: JBEAP 6.2 for RHEL 6 JBEAP 6.2 for RHEL 5 Via RHSA-2014:0843 https://rhn.redhat.com/errata/RHSA-2014-0843.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.2.4 Via RHSA-2014:0842 https://rhn.redhat.com/errata/RHSA-2014-0842.html
This issue has been addressed in following products: JBoss Data Grid 6.3.0 Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html
IssueDescription: It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1034 https://rhn.redhat.com/errata/RHSA-2014-1034.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html
This issue has been addressed in following products: JBEWS 2 for RHEL 5 Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html
This issue has been addressed in following products: JBEWS 2 for RHEL 6 Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html
This issue has been addressed in following products: JBoss Web Server 2.1.0 Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html