ID

VAR-201405-0543

CVE

CVE-2014-0075

TITLE

Apache Tomcat of java/org/apache/coyote/http11/filters/ChunkedInputFilter.java Integer overflow vulnerability

DESCRIPTION

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat security update Advisory ID: RHSA-2014:0827-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0827.html Issue date: 2014-07-02 CVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 ===================================================================== 1. Summary: Updated tomcat packages that fix three security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. (CVE-2014-0075) It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0075.html https://www.redhat.com/security/data/cve/CVE-2014-0096.html https://www.redhat.com/security/data/cve/CVE-2014-0099.html https://access.redhat.com/security/updates/classification/#moderate http://tomcat.apache.org/security-7.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTs8+9XlSAg2UNWIIRAglqAJ4sw3DT+V4pFReZSRvkoW+f90gxdgCdFn5e bVOeybWcY1fm+xgpnE7T2ZM= =O2as -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This enabled a denial of service attack. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was reported to the Tomcat security team by David Jorm of the Red Hat Security Response Team. (CVE-2014-0096) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web instance. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:052 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tomcat Date : March 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request&#039;s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a Transfer-Encoding: chunked header (CVE-2013-4286). java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS NzlDtJatpPDeZdZ4nlO1fgg= =NWBY -----END PGP SIGNATURE----- . Solution: The References section of this erratum contains a download link (you must log in to download the update). It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This update also fixes the following bug: The tomcat6-lib-6.0.37-19_patch_04.ep6.el5 package, provided as a dependency of Red Hat JBoss Web Server 2.0.1, included a build of commons-dbcp.jar that used an incorrect java package name, causing applications using this dependency to not function properly. With this update, the java package name has been corrected. This update also fixes the following bugs: * The patch that resolved the CVE-2014-0050 issue contained redundant code. This update removes the redundant code. (BZ#1094528) * The patch that resolved the CVE-2013-4322 issue contained an invalid check that triggered a java.io.EOFException while reading trailer headers for chunked requests. This update fixes the check and the aforementioned exception is no longer triggered in the described scenario. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache Tomcat: Multiple vulnerabilities Date: December 15, 2014 Bugs: #442014, #469434, #500600, #511762, #517630, #519590 ID: 201412-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Apache Tomcat, the worst of which may result in Denial of Service. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/tomcat < 7.0.56 *>= 6.0.41 >= 7.0.56 Description =========== Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker may be able to cause a Denial of Service condition as well as obtain sensitive information, bypass protection mechanisms and authentication restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All Tomcat 6.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.41" All Tomcat 7.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.56" References ========== [ 1 ] CVE-2012-2733 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2733 [ 2 ] CVE-2012-3544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544 [ 3 ] CVE-2012-3546 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3546 [ 4 ] CVE-2012-4431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4431 [ 5 ] CVE-2012-4534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4534 [ 6 ] CVE-2012-5885 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5885 [ 7 ] CVE-2012-5886 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5886 [ 8 ] CVE-2012-5887 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5887 [ 9 ] CVE-2013-2067 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067 [ 10 ] CVE-2013-2071 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071 [ 11 ] CVE-2013-4286 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4286 [ 12 ] CVE-2013-4322 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4322 [ 13 ] CVE-2013-4590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4590 [ 14 ] CVE-2014-0033 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033 [ 15 ] CVE-2014-0050 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0050 [ 16 ] CVE-2014-0075 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0075 [ 17 ] CVE-2014-0096 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0096 [ 18 ] CVE-2014-0099 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0099 [ 19 ] CVE-2014-0119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0119 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-29.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

digital error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-09-18T23:04:16.827000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE