ID

VAR-201405-0541

CVE

CVE-2014-0099

TITLE

Apache Tomcat of java/org/apache/tomcat/util/buf/Ascii.java Integer overflow vulnerability

DESCRIPTION

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Data Grid 6.3.0 update Advisory ID: RHSA-2014:0895-01 Product: Red Hat JBoss Data Grid Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0895.html Issue date: 2014-07-16 CVE Names: CVE-2014-0058 CVE-2014-0059 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 ===================================================================== 1. Summary: Red Hat JBoss Data Grid 6.3.0, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.3.0 serves as a replacement for Red Hat JBoss Data Grid 6.2.1. It includes various bug fixes and enhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0 Release Notes. The Release Notes will be available shortly from https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/ This update also fixes the following security issues: It was discovered that JBoss Web did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that JBoss Web did not check for overflowing values when parsing request content length headers. (CVE-2014-0099) It was found that the security audit functionality, provided by Red Hat JBoss Data Grid, logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials. Refer to the Solution section of this advisory for additional information on the fix for this issue. (CVE-2014-0058) It was found that the security auditing functionality provided by PicketBox and JBossSX, both security frameworks for Java applications, used a world-readable audit.log file to record sensitive information. A local user could possibly use this flaw to gain access to the sensitive information in the audit.log file. (CVE-2014-0059) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web instance. (CVE-2014-0119) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All users of Red Hat JBoss Data Grid 6.2.1 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.3.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Data Grid installation. The provided patch to fix CVE-2014-0058 also allows greater control over which of the following components of web requests are captured in audit logs: - - parameters - - cookies - - headers - - attributes It is also possible to selectively mask some elements of headers, parameters, cookies, and attributes using masks. This capability is provided by two system properties, which are introduced by this patch: 1) org.jboss.security.web.audit Description: This property controls the granularity of the security auditing of web requests. Possible values: off = Disables auditing of web requests headers = Audits only the headers of web requests cookies = Audits only the cookies of web requests parameters = Audits only the parameters of web requests attributes = Audits only the attributes of web requests headers,cookies,parameters = Audits the headers, cookies, and parameters of web requests headers,cookies = Audits the headers and cookies of web requests Default Value: headers, parameters Examples: Setting "org.jboss.security.web.audit=off" disables security auditing of web requests entirely. Setting "org.jboss.security.web.audit=headers" enables security auditing of only headers in web requests. 2) org.jboss.security.web.audit.mask Description: This property can be used to specify a list of strings to be matched against headers, parameters, cookies, and attributes of web requests. Any element matching the specified masks will be excluded from security audit logging. Possible values: Any comma separated string indicating keys of headers, parameters, cookies, and attributes. Default Value: j_password, authorization Note that currently the matching of the masks is fuzzy rather than strict. For example, a mask of "authorization" will mask both the header called authorization and the parameter called "custom_authorization". A future release may introduce strict masks. 4. Bugs fixed (https://bugzilla.redhat.com/): 1063641 - CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit 1063642 - CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file 1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0058.html https://www.redhat.com/security/data/cve/CVE-2014-0059.html https://www.redhat.com/security/data/cve/CVE-2014-0075.html https://www.redhat.com/security/data/cve/CVE-2014-0096.html https://www.redhat.com/security/data/cve/CVE-2014-0099.html https://www.redhat.com/security/data/cve/CVE-2014-0119.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTxsOWXlSAg2UNWIIRAnvFAJ9oo6SpbAMA5fFfcl87bkcnKma7jQCeOY3U BKYtD4zlGceUuD+E3C1i3vE= =swqj -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:052 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tomcat Date : March 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request&#039;s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a Transfer-Encoding: chunked header (CVE-2013-4286). Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data (CVE-2013-4322). java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096). In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227 http://advisories.mageia.org/MGASA-2014-0148.html http://advisories.mageia.org/MGASA-2014-0268.html http://advisories.mageia.org/MGASA-2015-0081.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: dce2bd5077a8e201da2a52717f3ef3a4 mbs1/x86_64/tomcat-7.0.59-1.mbs1.noarch.rpm 7908cc5facecb5c65c976cdff41b1d7c mbs1/x86_64/tomcat-admin-webapps-7.0.59-1.mbs1.noarch.rpm 21d8b843398fa256f05b1ad8464b6787 mbs1/x86_64/tomcat-docs-webapp-7.0.59-1.mbs1.noarch.rpm 27218eccc1ba454ef1cafea51976475a mbs1/x86_64/tomcat-el-2.2-api-7.0.59-1.mbs1.noarch.rpm cc0f94bb899c3a82ecb1daa0cccd40b9 mbs1/x86_64/tomcat-javadoc-7.0.59-1.mbs1.noarch.rpm 60c451802ce55df14445d2a560f544f8 mbs1/x86_64/tomcat-jsp-2.2-api-7.0.59-1.mbs1.noarch.rpm d7598284719161790f2617b715dbe444 mbs1/x86_64/tomcat-jsvc-7.0.59-1.mbs1.noarch.rpm 90279c92333646b38010bcf54f488e4a mbs1/x86_64/tomcat-lib-7.0.59-1.mbs1.noarch.rpm e8b29b53c91bee0b3ffdd224c6b00038 mbs1/x86_64/tomcat-log4j-7.0.59-1.mbs1.noarch.rpm a648279678ad5c804e8f7f9145ec794c mbs1/x86_64/tomcat-servlet-3.0-api-7.0.59-1.mbs1.noarch.rpm f0cb2c5e57edc0c4f7cda66d393165fb mbs1/x86_64/tomcat-webapps-7.0.59-1.mbs1.noarch.rpm cdaa6216b605cc23635cdeb4f77d32f9 mbs1/SRPMS/tomcat-7.0.59-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS NzlDtJatpPDeZdZ4nlO1fgg= =NWBY -----END PGP SIGNATURE----- . JBoss Data Virtualization makes data spread across physically distinct systems—such as multiple databases, XML files, and even Hadoop systems—appear as a set of tables in a local database. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are also fixed with this release, descriptions of which can be found on the respective CVE pages linked in the References section. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04483248 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04483248 Version: 1 HPSBUX03150 SSRT101681 rev.1 - HP-UX Apache Server Suite running Apache Tomcat or PHP, Remote Denial of Service (DoS) and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-10-20 Last Updated: 2014-10-20 Potential Security Impact: Remote Denial of Service (DoS), man-in-the-middle (MitM) attack, HTTP request smuggling, modification of data; local modification of data Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities. References: CVE-2013-4248 - PHP: man-in-the-middle (MitM) attack CVE-2013-4286 - Tomcat: remote HTTP request smuggling CVE-2013-6438 - Tomcat: remote Denial of Service (DoS) CVE-2014-0075 - Tomcat: remote Denial of Service (DoS) CVE-2014-0098 - Tomcat: remote Denial of Service (DoS) CVE-2014-0099 - Tomcat: remote HTTP request smuggling CVE-2014-3981 - PHP: local modification of data SSRT101681 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 running HP-UX Apache Web Server Suite v3.29 or earlier HP-UX B.11.23 running Tomcat v5.5.36.01 or earlier HP-UX B.11.23 running PHP v5.2.17.03 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4248 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-4286 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 CVE-2013-6438 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0075 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0098 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0099 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2014-3981 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerabilities. The updates are available for download from http://software.hp.com NOTE: HP-UX Web Server Suite v3.30 HPUXWSATW330 contains Apache v2.2.15.21, Tomcat Servlet Engine 5.5.36.02, and PHP 5.2.17.04 HP-UX 11i Release Apache Depot name B.11.23 (11i v2 32-bit) HP_UX_11.23_HPUXWS22ATW-B330-11-23-32.depot B.11.23 (11i v2 64-bit) HP_UX_11.23_HPUXWS22ATW-B330-11-23-64.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v3.30 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.23 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT action: install revision B.2.2.15.21 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 20 October 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. For the oldstable distribution (wheezy), these problems have been fixed in version 6.0.45+dfsg-1~deb7u1

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow, arbitrary

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-01-01T21:27:20.882000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE