Bug 1102038 (CVE-2014-0119) - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
Summary: CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140527,reported=2...
Depends On: 1109005 1102182 1102184 1102186 1102188 1102190 1102192 1108995 1108996 1108997 1108998 1108999 1109000 1109001 1109002 1109004 1109006 1109007 1109008 1109009 1109013 1109014 1109474 1109475 1113339 1160690
Blocks: 1064757 1082938 1097027 1102039 1103878 1108465 1109261 1109262 1181883 1182400 1182419 1200191
TreeView+ depends on / blocked
 
Reported: 2014-05-28 11:28 UTC by Arun Babu Neelicattu
Modified: 2019-06-11 11:13 UTC (History)
46 users (show)

Fixed In Version: tomcat 7.0.54, tomcat 6.0.41, jbossweb 7.4.7.Final
Doc Type: Bug Fix
Doc Text:
It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:33:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0842 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update 2014-07-07 18:49:59 UTC
Red Hat Product Errata RHSA-2014:0843 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update 2014-07-07 18:49:49 UTC
Red Hat Product Errata RHSA-2014:0895 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Grid 6.3.0 update 2014-07-16 21:12:23 UTC
Red Hat Product Errata RHSA-2014:1034 normal SHIPPED_LIVE Low: tomcat security update 2014-08-07 22:23:30 UTC
Red Hat Product Errata RHSA-2014:1038 normal SHIPPED_LIVE Low: tomcat6 security update 2014-08-11 20:44:40 UTC
Red Hat Product Errata RHSA-2014:1086 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:30:27 UTC
Red Hat Product Errata RHSA-2014:1087 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:44 UTC
Red Hat Product Errata RHSA-2014:1088 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:14 UTC
Red Hat Product Errata RHSA-2015:0234 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC
Red Hat Product Errata RHSA-2015:0675 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0720 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-25 01:05:53 UTC
Red Hat Product Errata RHSA-2015:0765 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-03-31 21:00:43 UTC
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Arun Babu Neelicattu 2014-05-28 11:28:16 UTC
It was found that in limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.

Comment 6 Arun Babu Neelicattu 2014-06-13 06:03:02 UTC
JBoss Web includes fix in 7.4.7.Final. Fixed by [1, 2].

[1] https://source.jboss.org/changelog/JBossWeb?cs=2427
[2] https://source.jboss.org/changelog/JBossWeb?cs=2460

Comment 15 errata-xmlrpc 2014-07-07 14:50:21 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0843 https://rhn.redhat.com/errata/RHSA-2014-0843.html

Comment 16 errata-xmlrpc 2014-07-07 14:51:19 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0842 https://rhn.redhat.com/errata/RHSA-2014-0842.html

Comment 17 errata-xmlrpc 2014-07-16 17:13:19 UTC
This issue has been addressed in following products:

  JBoss Data Grid 6.3.0

Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html

Comment 18 Martin Prpič 2014-07-17 14:36:01 UTC
IssueDescription:

It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.

Comment 20 errata-xmlrpc 2014-08-07 18:23:50 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1034 https://rhn.redhat.com/errata/RHSA-2014-1034.html

Comment 21 errata-xmlrpc 2014-08-11 16:46:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html

Comment 22 errata-xmlrpc 2014-08-21 15:31:19 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html

Comment 23 errata-xmlrpc 2014-08-21 15:32:03 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html

Comment 24 errata-xmlrpc 2014-08-21 15:32:31 UTC
This issue has been addressed in following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html

Comment 30 errata-xmlrpc 2015-02-17 22:28:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 31 errata-xmlrpc 2015-02-17 22:32:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Comment 33 errata-xmlrpc 2015-03-11 16:52:50 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 34 errata-xmlrpc 2015-03-24 21:06:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html

Comment 35 errata-xmlrpc 2015-03-31 17:01:34 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html

Comment 36 errata-xmlrpc 2015-05-14 15:19:13 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html


Note You need to log in before you can comment on or make changes to this bug.