You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2014/05/27 14:46:55 UTC

[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure

CVE-2014-0119 Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.5
- Apache Tomcat 7.0.0 to 7.0.53
- Apache Tomcat 6.0.0 to 6.0.39

Description:
In limited circumstances it was possible for a malicious web application
to replace the XML parsers used by Tomcat to process XSLTs for the
default servlet, JSP documents, tag library descriptors (TLDs) and tag
plugin configuration files. The injected XMl parser(s) could then bypass
the limits imposed on XML external entities and/or have visibility of
the XML files processed for other web applications deployed on the same
Tomcat instance.

Mitigation:
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.8 or later
  (8.0.6 and 8.0.7 contain the fix but were not released)
- Upgrade to Apache Tomcat 7.0.54 or later
- Upgrade to Apache Tomcat 6.0.41 or later
  (6.0.40 contains the fix but was not released)

Credit:
This issue was identified by the Tomcat security team.

References:
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

Re: [SECURITY] CVE-2014-0119 Apache Tomcat information disclosure

Posted by Konstantin Kolinko <kn...@gmail.com>.

2014-05-27 16:46 GMT+04:00 Mark Thomas <ma...@apache.org>:
> CVE-2014-0119 Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - Apache Tomcat 8.0.0-RC1 to 8.0.5
> - Apache Tomcat 7.0.0 to 7.0.53
> - Apache Tomcat 6.0.0 to 6.0.39
>
> Description:
> In limited circumstances it was possible for a malicious web application
> to replace the XML parsers used by Tomcat to process XSLTs for the
> default servlet, JSP documents, tag library descriptors (TLDs) and tag
> plugin configuration files. The injected XMl parser(s) could then bypass
> the limits imposed on XML external entities and/or have visibility of
> the XML files processed for other web applications deployed on the same
> Tomcat instance.
>

The "default servlet" part of this issue was fixed by the following commits:

http://svn.apache.org/r1588193
http://svn.apache.org/r1588199
http://svn.apache.org/r1589640

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org