ID

VAR-201405-0541

CVE

CVE-2014-0099

TITLE

Apache Tomcat of java/org/apache/tomcat/util/buf/Ascii.java Integer overflow vulnerability

DESCRIPTION

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Data Grid 6.3.0 update Advisory ID: RHSA-2014:0895-01 Product: Red Hat JBoss Data Grid Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0895.html Issue date: 2014-07-16 CVE Names: CVE-2014-0058 CVE-2014-0059 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 ===================================================================== 1. Summary: Red Hat JBoss Data Grid 6.3.0, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.3.0 serves as a replacement for Red Hat JBoss Data Grid 6.2.1. It includes various bug fixes and enhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0 Release Notes. The Release Notes will be available shortly from https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/ This update also fixes the following security issues: It was discovered that JBoss Web did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that JBoss Web did not check for overflowing values when parsing request content length headers. (CVE-2014-0099) It was found that the security audit functionality, provided by Red Hat JBoss Data Grid, logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials. Refer to the Solution section of this advisory for additional information on the fix for this issue. (CVE-2014-0058) It was found that the security auditing functionality provided by PicketBox and JBossSX, both security frameworks for Java applications, used a world-readable audit.log file to record sensitive information. A local user could possibly use this flaw to gain access to the sensitive information in the audit.log file. (CVE-2014-0059) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web instance. (CVE-2014-0119) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All users of Red Hat JBoss Data Grid 6.2.1 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.3.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Data Grid installation. The provided patch to fix CVE-2014-0058 also allows greater control over which of the following components of web requests are captured in audit logs: - - parameters - - cookies - - headers - - attributes It is also possible to selectively mask some elements of headers, parameters, cookies, and attributes using masks. This capability is provided by two system properties, which are introduced by this patch: 1) org.jboss.security.web.audit Description: This property controls the granularity of the security auditing of web requests. Possible values: off = Disables auditing of web requests headers = Audits only the headers of web requests cookies = Audits only the cookies of web requests parameters = Audits only the parameters of web requests attributes = Audits only the attributes of web requests headers,cookies,parameters = Audits the headers, cookies, and parameters of web requests headers,cookies = Audits the headers and cookies of web requests Default Value: headers, parameters Examples: Setting "org.jboss.security.web.audit=off" disables security auditing of web requests entirely. Setting "org.jboss.security.web.audit=headers" enables security auditing of only headers in web requests. 2) org.jboss.security.web.audit.mask Description: This property can be used to specify a list of strings to be matched against headers, parameters, cookies, and attributes of web requests. Any element matching the specified masks will be excluded from security audit logging. Possible values: Any comma separated string indicating keys of headers, parameters, cookies, and attributes. Default Value: j_password, authorization Note that currently the matching of the masks is fuzzy rather than strict. For example, a mask of "authorization" will mask both the header called authorization and the parameter called "custom_authorization". A future release may introduce strict masks. 4. Bugs fixed (https://bugzilla.redhat.com/): 1063641 - CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit 1063642 - CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file 1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0058.html https://www.redhat.com/security/data/cve/CVE-2014-0059.html https://www.redhat.com/security/data/cve/CVE-2014-0075.html https://www.redhat.com/security/data/cve/CVE-2014-0096.html https://www.redhat.com/security/data/cve/CVE-2014-0099.html https://www.redhat.com/security/data/cve/CVE-2014-0119.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTxsOWXlSAg2UNWIIRAnvFAJ9oo6SpbAMA5fFfcl87bkcnKma7jQCeOY3U BKYtD4zlGceUuD+E3C1i3vE= =swqj -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. Refer to the JBoss Operations Network 3.2.3 Release Notes for installation information. Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data (CVE-2013-4322). java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096). In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227 http://advisories.mageia.org/MGASA-2014-0110.html http://advisories.mageia.org/MGASA-2014-0149.html http://advisories.mageia.org/MGASA-2014-0268.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 58f55f0050c7ac4eb3c31308cc62d244 mbs2/x86_64/tomcat-7.0.59-1.mbs2.noarch.rpm 9c28750a8ec902d5bde42748a14d99ab mbs2/x86_64/tomcat-admin-webapps-7.0.59-1.mbs2.noarch.rpm b62639d405462dc9f28fd4afe11ddd57 mbs2/x86_64/tomcat-docs-webapp-7.0.59-1.mbs2.noarch.rpm 57b85f852426d5c7e282542165d2ea6f mbs2/x86_64/tomcat-el-2.2-api-7.0.59-1.mbs2.noarch.rpm 8410dbab11abe4f307576ecd657e427c mbs2/x86_64/tomcat-javadoc-7.0.59-1.mbs2.noarch.rpm aaffb8c0cd7d82c6dcb1b0ecc00dc7c8 mbs2/x86_64/tomcat-jsp-2.2-api-7.0.59-1.mbs2.noarch.rpm 538438ca90caa2eb6f49bca3bb6e0e2e mbs2/x86_64/tomcat-jsvc-7.0.59-1.mbs2.noarch.rpm 9a2d902c3a3e24af3f2da240c42c787f mbs2/x86_64/tomcat-lib-7.0.59-1.mbs2.noarch.rpm af5562b305ae7fd1406a9c94c9316cb5 mbs2/x86_64/tomcat-log4j-7.0.59-1.mbs2.noarch.rpm 3349a91a1667f299641e16aed4c3aadc mbs2/x86_64/tomcat-servlet-3.0-api-7.0.59-1.mbs2.noarch.rpm 4777adcbc177da7e1b8b158d6186141c mbs2/x86_64/tomcat-webapps-7.0.59-1.mbs2.noarch.rpm b832a8fcd47ae9fb696ca9424bd2a934 mbs2/SRPMS/tomcat-7.0.59-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFl05mqjQ0CJFipgRAniKAKC/MpUAj48M/7CzWXB4hv87uo99lwCg4Em4 9yRzhuJFw0DWd+dOc4antEU= =SHMh -----END PGP SIGNATURE----- . Description: Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. It includes various bug fixes, which are listed in the README file included with the patch files. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. ============================================================================ Ubuntu Security Notice USN-2302-1 July 30, 2014 tomcat6, tomcat7 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Tomcat. Software Description: - tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Details: David Jorm discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. (CVE-2014-0075) It was discovered that Tomcat did not properly restrict XSLT stylesheets. (CVE-2014-0096) It was discovered that Tomcat incorrectly handled certain Content-Length headers. (CVE-2014-0099) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libtomcat7-java 7.0.52-1ubuntu0.1 Ubuntu 12.04 LTS: libtomcat6-java 6.0.35-1ubuntu3.5 Ubuntu 10.04 LTS: libtomcat6-java 6.0.24-2ubuntu1.16 In general, a standard system update will make all the necessary changes. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: A test case that demonstrated the parsing bug was sent to the Tomcat security team but no context was provided. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04483248 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04483248 Version: 1 HPSBUX03150 SSRT101681 rev.1 - HP-UX Apache Server Suite running Apache Tomcat or PHP, Remote Denial of Service (DoS) and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-10-20 Last Updated: 2014-10-20 Potential Security Impact: Remote Denial of Service (DoS), man-in-the-middle (MitM) attack, HTTP request smuggling, modification of data; local modification of data Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities. References: CVE-2013-4248 - PHP: man-in-the-middle (MitM) attack CVE-2013-4286 - Tomcat: remote HTTP request smuggling CVE-2013-6438 - Tomcat: remote Denial of Service (DoS) CVE-2014-0075 - Tomcat: remote Denial of Service (DoS) CVE-2014-0098 - Tomcat: remote Denial of Service (DoS) CVE-2014-0099 - Tomcat: remote HTTP request smuggling CVE-2014-3981 - PHP: local modification of data SSRT101681 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 running HP-UX Apache Web Server Suite v3.29 or earlier HP-UX B.11.23 running Tomcat v5.5.36.01 or earlier HP-UX B.11.23 running PHP v5.2.17.03 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4248 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-4286 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 CVE-2013-6438 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0075 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0098 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0099 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2014-3981 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerabilities. The updates are available for download from http://software.hp.com NOTE: HP-UX Web Server Suite v3.30 HPUXWSATW330 contains Apache v2.2.15.21, Tomcat Servlet Engine 5.5.36.02, and PHP 5.2.17.04 HP-UX 11i Release Apache Depot name B.11.23 (11i v2 32-bit) HP_UX_11.23_HPUXWS22ATW-B330-11-23-32.depot B.11.23 (11i v2 64-bit) HP_UX_11.23_HPUXWS22ATW-B330-11-23-64.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v3.30 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.23 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT action: install revision B.2.2.15.21 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 20 October 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. For the oldstable distribution (wheezy), these problems have been fixed in version 6.0.45+dfsg-1~deb7u1

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

digital error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-06-27T21:02:35.322000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE