Bug 1102038 (CVE-2014-0119) - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
Summary: CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1102182 1102184 1102186 1102188 1102190 1102192 1108995 1108996 1108997 1108998 1108999 1109000 1109001 1109002 1109004 1109005 1109006 1109007 1109008 1109009 1109013 1109014 1109474 1109475 1113339 1160690
Blocks: 1064757 1082938 1097027 1102039 1103878 1108465 1109261 1109262 1181883 1182400 1182419 1200191
TreeView+ depends on / blocked
 
Reported: 2014-05-28 11:28 UTC by Arun Babu Neelicattu
Modified: 2021-02-17 06:32 UTC (History)
46 users (show)

Fixed In Version: tomcat 7.0.54, tomcat 6.0.41, jbossweb 7.4.7.Final
Clone Of:
Environment:
Last Closed: 2019-06-08 02:33:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0842 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update 2014-07-07 18:49:59 UTC
Red Hat Product Errata RHSA-2014:0843 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update 2014-07-07 18:49:49 UTC
Red Hat Product Errata RHSA-2014:0895 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Grid 6.3.0 update 2014-07-16 21:12:23 UTC
Red Hat Product Errata RHSA-2014:1034 0 normal SHIPPED_LIVE Low: tomcat security update 2014-08-07 22:23:30 UTC
Red Hat Product Errata RHSA-2014:1038 0 normal SHIPPED_LIVE Low: tomcat6 security update 2014-08-11 20:44:40 UTC
Red Hat Product Errata RHSA-2014:1086 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:30:27 UTC
Red Hat Product Errata RHSA-2014:1087 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:44 UTC
Red Hat Product Errata RHSA-2014:1088 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:14 UTC
Red Hat Product Errata RHSA-2015:0234 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC
Red Hat Product Errata RHSA-2015:0675 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0720 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-25 01:05:53 UTC
Red Hat Product Errata RHSA-2015:0765 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-03-31 21:00:43 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Arun Babu Neelicattu 2014-05-28 11:28:16 UTC 
It was found that in limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.
Comment 2 Vincent Danen 2014-05-29 03:27:23 UTC 
Tomcat 6 fix (3 patches): 

http://svn.apache.org/viewvc?view=revision&revision=1589640
http://svn.apache.org/viewvc?view=revision&revision=1593815
http://svn.apache.org/viewvc?view=revision&revision=1593821

Tomcat 7 fix (4 patches):

http://svn.apache.org/viewvc?view=revision&revision=1588199
http://svn.apache.org/viewvc?view=revision&revision=1589997
http://svn.apache.org/viewvc?view=revision&revision=1590028
http://svn.apache.org/viewvc?view=revision&revision=1590036
Comment 6 Arun Babu Neelicattu 2014-06-13 06:03:02 UTC 
JBoss Web includes fix in 7.4.7.Final. Fixed by [1, 2].

[1] https://source.jboss.org/changelog/JBossWeb?cs=2427
[2] https://source.jboss.org/changelog/JBossWeb?cs=2460
Comment 15 errata-xmlrpc 2014-07-07 14:50:21 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0843 https://rhn.redhat.com/errata/RHSA-2014-0843.html
Comment 16 errata-xmlrpc 2014-07-07 14:51:19 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0842 https://rhn.redhat.com/errata/RHSA-2014-0842.html
Comment 17 errata-xmlrpc 2014-07-16 17:13:19 UTC 
This issue has been addressed in following products:

  JBoss Data Grid 6.3.0

Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html
Comment 18 Martin Prpič 2014-07-17 14:36:01 UTC 
IssueDescription:

It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.
Comment 20 errata-xmlrpc 2014-08-07 18:23:50 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1034 https://rhn.redhat.com/errata/RHSA-2014-1034.html
Comment 21 errata-xmlrpc 2014-08-11 16:46:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1038 https://rhn.redhat.com/errata/RHSA-2014-1038.html
Comment 22 errata-xmlrpc 2014-08-21 15:31:19 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html
Comment 23 errata-xmlrpc 2014-08-21 15:32:03 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html
Comment 24 errata-xmlrpc 2014-08-21 15:32:31 UTC 
This issue has been addressed in following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html
Comment 30 errata-xmlrpc 2015-02-17 22:28:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 31 errata-xmlrpc 2015-02-17 22:32:19 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Comment 33 errata-xmlrpc 2015-03-11 16:52:50 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 34 errata-xmlrpc 2015-03-24 21:06:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
Comment 35 errata-xmlrpc 2015-03-31 17:01:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
Comment 36 errata-xmlrpc 2015-05-14 15:19:13 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.