ID

VAR-201404-0585

CVE

CVE-2014-0050

TITLE

Apache Commons FileUpload CVE-2014-0050 Denial Of Service Vulnerability

DESCRIPTION

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. Apache Commons FileUpload is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the application to enter an infinite loop which may cause denial-of-service conditions. The following products are vulnerable: Apache Commons FileUpload 1.0 through versions 1.3 Apache Tomcat 8.0.0-RC1 through versions 8.0.1 Apache Tomcat 7.0.0 through versions 7.0.50. JBoss Web Server provides organizations with a single deployment platform for Java Server Pages (JSP) and Java Servlet technologies, PHP, and CGI. It uses a genuine high performance hybrid technology that incorporates the best of the most recent OS technologies for processing high volume data, while keeping all the reference Java specifications. Apache Commons FileUpload package makes it easy to add robust, high-performance, file upload capability to servlets and web applications. Apache Tomcat 7.x before 7.0.50 allows attackers to obtain Tomcat internals information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2013-4590). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227 http://advisories.mageia.org/MGASA-2014-0110.html http://advisories.mageia.org/MGASA-2014-0149.html http://advisories.mageia.org/MGASA-2014-0268.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 58f55f0050c7ac4eb3c31308cc62d244 mbs2/x86_64/tomcat-7.0.59-1.mbs2.noarch.rpm 9c28750a8ec902d5bde42748a14d99ab mbs2/x86_64/tomcat-admin-webapps-7.0.59-1.mbs2.noarch.rpm b62639d405462dc9f28fd4afe11ddd57 mbs2/x86_64/tomcat-docs-webapp-7.0.59-1.mbs2.noarch.rpm 57b85f852426d5c7e282542165d2ea6f mbs2/x86_64/tomcat-el-2.2-api-7.0.59-1.mbs2.noarch.rpm 8410dbab11abe4f307576ecd657e427c mbs2/x86_64/tomcat-javadoc-7.0.59-1.mbs2.noarch.rpm aaffb8c0cd7d82c6dcb1b0ecc00dc7c8 mbs2/x86_64/tomcat-jsp-2.2-api-7.0.59-1.mbs2.noarch.rpm 538438ca90caa2eb6f49bca3bb6e0e2e mbs2/x86_64/tomcat-jsvc-7.0.59-1.mbs2.noarch.rpm 9a2d902c3a3e24af3f2da240c42c787f mbs2/x86_64/tomcat-lib-7.0.59-1.mbs2.noarch.rpm af5562b305ae7fd1406a9c94c9316cb5 mbs2/x86_64/tomcat-log4j-7.0.59-1.mbs2.noarch.rpm 3349a91a1667f299641e16aed4c3aadc mbs2/x86_64/tomcat-servlet-3.0-api-7.0.59-1.mbs2.noarch.rpm 4777adcbc177da7e1b8b158d6186141c mbs2/x86_64/tomcat-webapps-7.0.59-1.mbs2.noarch.rpm b832a8fcd47ae9fb696ca9424bd2a934 mbs2/SRPMS/tomcat-7.0.59-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04657823 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04657823 Version: 1 HPSBGN03329 rev.1 - HP SDN VAN Controller, Remote Denial of Service (DoS), Distributed Denial of Service (DDoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-05-11 Last Updated: 2015-05-11 Potential Security Impact: Remote Denial of Service (DoS), Distributed Denial of Service (DDoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP SDN VAN Controller. The vulnerabilities could be remotely exploited resulting in Denial of Service (DoS) or a Distributed Denial of Service (DDoS). References: CVE-2014-0050 Remote Denial of Service (DoS) CVE-2015-2122 Remote Distributed Denial of Service (DDoS) SSRT102049 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP SDN VAN Controller version 2.5 and earlier. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-0050 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2015-2122 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP recommends either of the two following workarounds for the vulnerabilities in the HP SDN VAN Controller. - The network for the server running the HP SDN VAN Controller management VLAN should be on a separate and isolated "management" VLAN. - Configure the firewall on the server running HP SDN VAN Controller so that the only network traffic allowed to the REST port is from trusted servers on the network that need to use the REST layer. For example: the Microsoft Lync Server for Optimizer. For more detailed information, please refer to the "Securing REST layer Access on HP VAN SDN Controllers" article at the following location: http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=em r_na-c04676756 HISTORY Version:1 (rev.1) - 11 May 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Tomcat 7 and 8 are therefore affected by this issue. While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators. This issue was reported responsibly to the Apache Software Foundation via JPCERT but an error in addressing an e-mail led to the unintended early disclosure of this issue[1]. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Commons FileUpload 1.3.1 or later once released - - Upgrade to Apache Tomcat 8.0.2 or later once released - - Upgrade to Apache Tomcat 7.0.51 or later once released - - Apply the appropriate patch - Commons FileUpload: http://svn.apache.org/r1565143 - Tomcat 8: http://svn.apache.org/r1565163 - Tomcat 7: http://svn.apache.org/r1565169 - - Limit the size of the Content-Type header to less than 4091 bytes Credit: This issue was reported to the Apache Software Foundation via JPCERT. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. (CVE-2013-4286) It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). Bugs fixed (https://bugzilla.redhat.com/): 1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream 1069905 - CVE-2013-4322 tomcat: incomplete fix for CVE-2012-3544 1069921 - CVE-2013-4286 tomcat: multiple content-length header poisoning flaws 5. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. CVE-2013-2071 A runtime exception in AsyncListener.onComplete() prevents the request from being recycled. This may expose elements of a previous request to a current request. CVE-2013-4322 When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. by streaming an unlimited amount of data to the server. For the stable distribution (wheezy), these problems have been fixed in version 7.0.28-4+deb7u1. For the testing distribution (jessie), these problems have been fixed in version 7.0.52-1. For the unstable distribution (sid), these problems have been fixed in version 7.0.52-1. We recommend that you upgrade your tomcat7 packages. Description: Fuse ESB Enterprise is an integration platform based on Apache ServiceMix. This release of Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3 is an update to Fuse ESB Enterprise 7.1.0 and Fuse MQ Enterprise 7.1.0. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are also addressed with this release: It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. (CVE-2013-7285) It was found that the Apache Camel XSLT component allowed XSL stylesheets to call external Java methods. (CVE-2014-0003) It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. (CVE-2013-6440) It was found that the Apache Camel XSLT component would resolve entities in XML messages when transforming them using an XSLT route. Details on the update and each vulnerability are in the KM articles below. **Note:** The resolution for each vulnerability listed is to upgrade to SiteScope 11.32IP2 or an even more recent version of SiteScope if available. The SiteScope update can be can found in the personal zone in "my updates" in HPE Software Support Online: <https://softwaresupport.hpe.com>. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss A-MQ 6.1.0 update Advisory ID: RHSA-2014:0401-02 Product: Red Hat JBoss A-MQ Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0401.html Issue date: 2014-04-14 CVE Names: CVE-2013-2035 CVE-2013-2192 CVE-2013-4152 CVE-2013-6429 CVE-2013-6430 CVE-2014-0050 CVE-2014-0054 CVE-2014-0085 CVE-2014-1904 ===================================================================== 1. Summary: Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the link in the References section, for a list of changes. The following security issues are resolved with this update: A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle attacker could possibly use this flaw to unilaterally disable bidirectional authentication between a client and a server, forcing a downgrade to simple (unidirectional) authentication. This flaw only affected users who have enabled Hadoop's Kerberos security features. (CVE-2013-2192) It was discovered that the Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. The patch for this flaw disables external entity processing by default, and provides a configuration directive to re-enable it. (CVE-2013-4152) It was found that the Spring MVC SourceHttpMessageConverter enabled entity resolution by default. A remote attacker could use this flaw to conduct XXE attacks on web sites, and read files in the context of the user running the application server. The patch for this flaw disables external entity processing by default, and introduces a property to re-enable it. (CVE-2013-6429) The Spring JavaScript escape method insufficiently escaped some characters. Applications using this method to escape user-supplied content, which would be rendered in HTML5 documents, could be exposed to cross-site scripting (XSS) flaws. (CVE-2013-6430) A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. (CVE-2014-0050) It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues in Spring were incomplete. Spring MVC processed user-provided XML and neither disabled XML external entities nor provided an option to disable them, possibly allowing a remote attacker to conduct XXE attacks. (CVE-2014-0054) A cross-site scripting (XSS) flaw was found in the Spring Framework when using Spring MVC. When the action was not specified in a Spring form, the action field would be populated with the requested URI, allowing an attacker to inject malicious content into the form. (CVE-2014-1904) The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035) An information disclosure flaw was found in the way Apache Zookeeper stored the password of an administrative user in the log files. A local user with access to these log files could use the exposed sensitive information to gain administrative access to an application using Apache Zookeeper. (CVE-2014-0085) The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat Product Security Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of Red Hat. All users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution 1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw 1001326 - CVE-2013-2192 hadoop: man-in-the-middle vulnerability 1039783 - CVE-2013-6430 Spring Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters 1053290 - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw 1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream 1067265 - CVE-2014-0085 Apache Zookeeper: admin user cleartext password appears in logging 1075296 - CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC 1075328 - CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-4152/CVE-2013-6429 5. References: https://www.redhat.com/security/data/cve/CVE-2013-2035.html https://www.redhat.com/security/data/cve/CVE-2013-2192.html https://www.redhat.com/security/data/cve/CVE-2013-4152.html https://www.redhat.com/security/data/cve/CVE-2013-6429.html https://www.redhat.com/security/data/cve/CVE-2013-6430.html https://www.redhat.com/security/data/cve/CVE-2014-0050.html https://www.redhat.com/security/data/cve/CVE-2014-0054.html https://www.redhat.com/security/data/cve/CVE-2014-0085.html https://www.redhat.com/security/data/cve/CVE-2014-1904.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTS/SnXlSAg2UNWIIRAjfhAJ9FI0X+7Dz06mH7UxBXwT82JEYWdACgn/2k ft7Xn9xiuZb/emiN+JXVSF4= =qShr -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS