VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201406-0153 CVE-2014-4159 SAP Supplier Relationship Management Open redirect vulnerability CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. Other attacks are possible
VAR-201405-0543 CVE-2014-0075 Apache Tomcat CVE-2014-0075 Chunk Request Remote Denial Of Service Vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. Apache Tomcat is prone to a remote denial-of-service vulnerability because it fails to properly bounds check user-supplied input. An attacker can exploit this issue to cause denial-of-service conditions; denying service to legitimate users. The following versions are vulnerable: Apache Tomcat 8.0.0-RC1 to 8.0.3 Apache Tomcat 7.0.0 to 7.0.52 Apache Tomcat 6.0.0 to 6.0.39. Description: Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. It includes various bug fixes and enhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0 Release Notes. (CVE-2014-0099) It was found that the security audit functionality, provided by Red Hat JBoss Data Grid, logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials. Refer to the Solution section of this advisory for additional information on the fix for this issue. (CVE-2014-0096) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web instance. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Data Grid installation. The provided patch to fix CVE-2014-0058 also allows greater control over which of the following components of web requests are captured in audit logs: - - parameters - - cookies - - headers - - attributes It is also possible to selectively mask some elements of headers, parameters, cookies, and attributes using masks. This capability is provided by two system properties, which are introduced by this patch: 1) org.jboss.security.web.audit Description: This property controls the granularity of the security auditing of web requests. Possible values: off = Disables auditing of web requests headers = Audits only the headers of web requests cookies = Audits only the cookies of web requests parameters = Audits only the parameters of web requests attributes = Audits only the attributes of web requests headers,cookies,parameters = Audits the headers, cookies, and parameters of web requests headers,cookies = Audits the headers and cookies of web requests Default Value: headers, parameters Examples: Setting "org.jboss.security.web.audit=off" disables security auditing of web requests entirely. Setting "org.jboss.security.web.audit=headers" enables security auditing of only headers in web requests. 2) org.jboss.security.web.audit.mask Description: This property can be used to specify a list of strings to be matched against headers, parameters, cookies, and attributes of web requests. Any element matching the specified masks will be excluded from security audit logging. Possible values: Any comma separated string indicating keys of headers, parameters, cookies, and attributes. Default Value: j_password, authorization Note that currently the matching of the masks is fuzzy rather than strict. For example, a mask of "authorization" will mask both the header called authorization and the parameter called "custom_authorization". A future release may introduce strict masks. Description: Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are also fixed with this release, descriptions of which can be found on the respective CVE pages linked in the References section. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat security update Advisory ID: RHSA-2014:0827-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0827.html Issue date: 2014-07-02 CVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 ===================================================================== 1. Summary: Updated tomcat packages that fix three security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. (CVE-2014-0075) It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: tomcat-7.0.42-6.el7_0.src.rpm noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0075.html https://www.redhat.com/security/data/cve/CVE-2014-0096.html https://www.redhat.com/security/data/cve/CVE-2014-0099.html https://access.redhat.com/security/updates/classification/#moderate http://tomcat.apache.org/security-7.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTs8+9XlSAg2UNWIIRAglqAJ4sw3DT+V4pFReZSRvkoW+f90gxdgCdFn5e bVOeybWcY1fm+xgpnE7T2ZM= =O2as -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This enabled a denial of service attack. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was reported to the Tomcat security team by David Jorm of the Red Hat Security Response Team. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:052 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tomcat Date : March 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request&#039;s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a Transfer-Encoding: chunked header (CVE-2013-4286). java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS NzlDtJatpPDeZdZ4nlO1fgg= =NWBY -----END PGP SIGNATURE----- . Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. For the oldstable distribution (wheezy), these problems have been fixed in version 6.0.45+dfsg-1~deb7u1. This update also fixes the following bugs: * The patch that resolved the CVE-2014-0050 issue contained redundant code. This update removes the redundant code. (BZ#1094528) * The patch that resolved the CVE-2013-4322 issue contained an invalid check that triggered a java.io.EOFException while reading trailer headers for chunked requests. This update fixes the check and the aforementioned exception is no longer triggered in the described scenario
VAR-201406-0302 CVE-2014-3280 Cisco Unified Communications Domain Manager of VOSS of Web Vulnerability in obtaining important user information in the framework CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
The web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain potentially sensitive user information by visiting an unspecified Administration GUI web page, aka Bug IDs CSCun46045 and CSCun46116. Attackers can exploit this issue to retrieve sensitive information. Information harvested may aid in launching further attacks. This issue is tracked by Cisco Bug IDs CSCun46045 and CSCun46116. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
VAR-201405-0350 CVE-2014-3277 Cisco Unified Communications Domain Manager of VOSS Vulnerable to obtaining important user and group information CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain sensitive user and group information by leveraging Location Administrator privileges and entering a crafted URL, aka Bug ID CSCum77005. Cisco Unified Communications Domain Manager is prone to an information-disclosure vulnerability. Attackers can exploit this issue to retrieve sensitive information. Information harvested may aid in launching further attacks. This issue is tracked by Cisco Bug ID CSCum77005. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
VAR-201405-0352 CVE-2014-3282 Cisco Unified Communications Domain Manager of VOSS of Web Vulnerability in obtaining important number conversion information in the framework CVSS V2: 4.0
CVSS V3: -
Severity: MEDIUM
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain sensitive number-translation information by leveraging Location Administrator privileges and entering a crafted URL, aka Bug ID CSCum76930. Vendors have confirmed this vulnerability Bug ID CSCum76930 It is released as.By a remotely authenticated user Location Administrator Authorized and crafted URL , You may get important number translation information. Cisco Unified Communications Domain Manager is prone to an information-disclosure vulnerability. Attackers can exploit this issue to retrieve sensitive information like Admin number translation. Information harvested may aid in launching further attacks. This issue is tracked by Cisco Bug ID CSCum76930. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
VAR-201405-0353 CVE-2014-3283 Cisco Unified Communications Domain Manager of VOSS of Web Open redirect vulnerability in the framework CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
Open redirect vulnerability in Self-Care Client Portal applications in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL, aka Bug ID CSCun79731. Vendors have confirmed this vulnerability Bug ID CSCun79731 It is released as. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. http://cwe.mitre.org/data/definitions/601.htmlSkillfully crafted by a third party URL Any user through Web You may be redirected to a site and run a phishing attack. An attacker can leverage this issue to conduct phishing attacks; other attacks are possible. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
VAR-201405-0351 CVE-2014-3279 Cisco Unified Communications Domain Manager of VOSS of Web Vulnerability in enumerating account names in the framework CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote attackers to enumerate account names via a crafted URL, aka Bug IDs CSCun39631 and CSCun39643. Vendors have confirmed this vulnerability Bug ID CSCun39631 and CSCun39643 It is released as.Skillfully crafted by a third party URL Account names may be enumerated via. Cisco Unified Communications Domain Manager is prone to a user-enumeration vulnerability. An attacker may leverage this issue to harvest valid user accounts, which may aid in brute-force attacks. This issue being tracked by Cisco Bug IDs CSCun39631 and CSCun39643. This component features scalable, distributed, and highly available enterprise Voice over IP call processing. A remote attacker could use a specially crafted URL to exploit this vulnerability to enumerate user accounts
VAR-201405-0541 CVE-2014-0099 Apache Tomcat Digital error vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. Apache Tomcat is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. The following versions are vulnerable: Apache Tomcat 8.0.0-RC1 to 8.0.3 Apache Tomcat 7.0.0 to 7.0.52 Apache Tomcat 6.0.0 to 6.0.39. Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data (CVE-2013-4322). java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096). In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227). The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFl05mqjQ0CJFipgRAniKAKC/MpUAj48M/7CzWXB4hv87uo99lwCg4Em4 9yRzhuJFw0DWd+dOc4antEU= =SHMh -----END PGP SIGNATURE----- . Description: Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems-such as multiple databases, XML files, and even Hadoop systems-appear as a set of tables in a local database. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are also fixed with this release, descriptions of which can be found on the respective CVE pages linked in the References section. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update Advisory ID: RHSA-2014:0843-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0843.html Issue date: 2014-07-07 CVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 ===================================================================== 1. Summary: Updated Red Hat JBoss Enterprise Application Platform 6.2.4 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that JBoss Web did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that JBoss Web did not check for overflowing values when parsing request content length headers. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web instance. (CVE-2014-0119) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All users of Red Hat JBoss Enterprise Application Platform 6.2.4 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up any customized Red Hat JBoss Enterprise Application Platform 6 configuration files. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application 6. Package List: Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server: Source: jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.src.rpm noarch: jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server: Source: jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.src.rpm noarch: jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0075.html https://www.redhat.com/security/data/cve/CVE-2014-0096.html https://www.redhat.com/security/data/cve/CVE-2014-0099.html https://www.redhat.com/security/data/cve/CVE-2014-0119.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTurZGXlSAg2UNWIIRAjQuAJ9G3FrmmxQq8xNK5ngLTL/E35dXQgCdFTvu rNpjwHEU4w/Fa4I/WyPuVh0= =tXq5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Solution: The References section of this erratum contains a download link (you must log in to download the update). This update also fixes the following bug: The tomcat6-lib-6.0.37-19_patch_04.ep6.el5 package, provided as a dependency of Red Hat JBoss Web Server 2.0.1, included a build of commons-dbcp.jar that used an incorrect java package name, causing applications using this dependency to not function properly. With this update, the java package name has been corrected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04223376 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04223376 Version: 1 HPSBUX03102 SSRT101681 rev.1 - HP-UX Apache Server Suite running Apache Tomcat or PHP, Remote Execution of Arbitrary Code and Denial of Service (DoS) and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-09-04 Last Updated: 2014-09-04 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), and other vulnerabilities. These vulnerabilities could be exploited remotely to execute arbitrary code, create a Denial of Service (DoS), or other vulnerabilities. References: CVE-2013-6438 - Tomcat: remote Denial of Service (DoS) CVE-2014-0075 - Tomcat: remote Denial of Service (DoS) CVE-2014-0096 - Tomcat: remote bypass of access restrictions CVE-2014-0098 - Tomcat: remote Denial of Service (DoS) CVE-2014-0099 - Tomcat: remote HTTP request smuggling CVE-2014-0119 - Tomcat: remote file access CVE-2014-0207 - PHP: remote Denial of Service (DoS) CVE-2014-3478 - PHP: remote Denial of Service (DoS) CVE-2014-3479 - PHP: remote Denial of Service (DoS) CVE-2014-3480 - PHP: remote Denial of Service (DoS) CVE-2014-3487 - PHP: remote Denial of Service (DoS) CVE-2014-3515 - PHP: remote execution of arbitrary code CVE-2014-3981 - PHP: local file access CVE-2014-4049 - PHP: remote Denial of Service (DoS) SSRT101681 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.31 running HP-UX Apache Web Server Suite v4.01 or earlier HP-UX B.11.31 running Tomcat v6.0.39.01 or earlier HP-UX B.11.31 running PHP v5.4.11.03 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-6438 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0075 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0096 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-0098 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0099 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2014-0119 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-0207 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-3478 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-3479 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-3480 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-3487 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-3515 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-3981 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3 CVE-2014-4049 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerabilities. The updates are available for download from http://software.hp.com NOTE: HP-UX Web Server Suite v4.02 HPUXWSATW402 contains Apache v2.2.15.20, Tomcat Servlet Engine 6.0.39.02, and PHP 5.4.11.04 HP-UX 11i Release Apache Depot name B.11.31 (32-bit) HP_UX_11.31_HPUXWS22ATW-B402-11-31-32-bit.depot B.11.31 (64-bit) HP_UX_11.31_HPUXWS22ATW-B402-11-31-64-bit.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v4.02 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.31 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT action: install revision B.2.2.15.20 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 4 September 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners
VAR-201405-0503 CVE-2014-0119 Apache Tomcat Vulnerable to reading arbitrary files CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. Apache Tomcat is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. The following versions are vulnerable: Apache Tomcat 8.0.0-RC1 to 8.0.3 Apache Tomcat 7.0.0 to 7.0.53 Apache Tomcat 6.0.0 to 6.0.39. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:052 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tomcat Date : March 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request&#039;s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a Transfer-Encoding: chunked header (CVE-2013-4286). Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data (CVE-2013-4322). Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data (CVE-2014-0075). Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header (CVE-2014-0099). In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS NzlDtJatpPDeZdZ4nlO1fgg= =NWBY -----END PGP SIGNATURE----- . Release Date: 2015-10-15 Last Updated: 2015-10-15 Potential Security Impact: Remote multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in HP OpenVMS CSWS_JAVA running Tomcat. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts. References: CVE-2013-4286 CVE-2013-4322 CVE-2013-4444 CVE-2013-4590 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0230 CVE-2014-0277 SSRT101975 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenVMS CSWS_JAVA v7.0.29 Tomcat BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-4286 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 CVE-2013-4322 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2013-4444 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2013-4590 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-0075 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-0096 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-0099 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2014-0119 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-0230 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2014-0277 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software update to resolve the vulnerabilities in HP OpenVMS CSWS_Java. "Cumulative security patch for vulnerabilities addressed on CSWS_JAVA v7.0.29" http://auth-h71000-pro-sitebuilder.houston.hp.com/openvms/products/ips/apac he/csws_java.html HISTORY Version:1 (rev.1) - 15 October 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Description: Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems—such as multiple databases, XML files, and even Hadoop systems—appear as a set of tables in a local database. CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) CVE-2014-3490 RESTEasy: XXE via parameter entities CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread state Red Hat would like to thank James Roper of Typesafe for reporting CVE-2014-0193, Alexander Papadakis for reporting CVE-2014-3530, and Rune Steinseth of JProfessionals for reporting CVE-2014-8122. Bugs fixed (https://bugzilla.redhat.com/): 1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack 1063642 - CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file 1065139 - CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions 1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 1092783 - CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application 1105242 - CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) 1107901 - CVE-2014-3490 RESTEasy: XXE via parameter entities 1109196 - CVE-2014-0227 Tomcat/JBossWeb: request smuggling andl imited DoS in ChunkedInputFilter 1112987 - CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 1157304 - CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods 1165328 - CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider 1169237 - CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread state 5. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.0 Release Notes, linked to in the References section, for information on the most significant of these changes. The following security issues are also fixed with this release: A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2014-0226) A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. (CVE-2014-0118) A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. (CVE-2014-0221) Note: This update provides a fix for the CVE-2014-0221 issue in openssl packages for Solaris and Microsoft Windows. A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment. (CVE-2014-0119) Red Hat would like to thank the OpenSSL project for reporting CVE-2014-0221. Upstream acknowledges Imre Rad of Search-Lab as the original reporter of this issue. Solution: The References section of this erratum contains a download link (you must log in to download the update). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: tomcat security update Advisory ID: RHSA-2014:1034-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1034.html Issue date: 2014-08-07 CVE Names: CVE-2014-0119 ===================================================================== 1. Summary: Updated tomcat packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. (CVE-2014-0119) All Tomcat users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: tomcat-7.0.42-8.el7_0.src.rpm noarch: tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm tomcat-lib-7.0.42-8.el7_0.noarch.rpm tomcat-webapps-7.0.42-8.el7_0.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: tomcat-7.0.42-8.el7_0.src.rpm noarch: tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm tomcat-lib-7.0.42-8.el7_0.noarch.rpm tomcat-webapps-7.0.42-8.el7_0.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: tomcat-7.0.42-8.el7_0.src.rpm noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-lib-7.0.42-8.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm tomcat-webapps-7.0.42-8.el7_0.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm tomcat-lib-7.0.42-8.el7_0.noarch.rpm tomcat-webapps-7.0.42-8.el7_0.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: tomcat-7.0.42-8.el7_0.src.rpm noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-lib-7.0.42-8.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm tomcat-webapps-7.0.42-8.el7_0.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0119.html https://access.redhat.com/security/updates/classification/#low https://tomcat.apache.org/security-6.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFT48kzXlSAg2UNWIIRAn20AJ45q0idrnczXGHkJjgcnQXoIPYEzACeIU3N 3PDa2mjEuz2Ww24Y4dDqTO0= =SQSl -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201405-0648 CVE-2014-1191 Cisco NX-OS Virtual Device Context SSH Key Remote Privilege Escalation Vulnerability CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. After a Cisco NX-OS device has multiple VDCs on the system and is configured with local authentication, there is a remote privilege elevation vulnerability in the implementation that allows an authenticated remote attacker to exploit the vulnerability through the SSH access management interface of the affected device. Tampering with the login information of the SSH key file to obtain administrative rights on another VDC.
VAR-201405-0354 CVE-2014-3284 Cisco IOS XE Software PPPoE Packet Handling Denial of Service Vulnerability CVSS V2: 6.1
CVSS V3: -
Severity: MEDIUM
Cisco IOS XE on ASR1000 devices, when PPPoE termination is enabled, allows remote attackers to cause a denial of service (device reload) via a malformed PPPoE packet, aka Bug ID CSCuo55180. Vendors have confirmed this vulnerability Bug ID CSCuo55180 It is released as.Malformed by a third party PPPoE Service disruption via packets ( Device reload ) There is a possibility of being put into a state. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Attackers can exploit this issue to cause the affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuo55180
VAR-201406-0156 CVE-2014-4162 Zyxel P-660HW-T1 Cross-site request forgery vulnerability in wireless router CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1. The Zyxel P-660HW-T1 is a wireless router device. Zyxel P-660HW-T1 is prone to multiple cross-site request-forgery vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. Zyxel P-660HW-T1 v3 is vulnerable; other versions may also be vulnerable
VAR-201405-0280 CVE-2014-2349 Emerson DeltaV '\DeltaV' Directory Authorization Security Bypass Vulnerability CVSS V2: 4.6
CVSS V3: -
Severity: MEDIUM
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program. Emerson DeltaV Contains vulnerabilities that modify or read configuration files.Engineering level authorization by local user (engineering-level privilege) May be used to modify or read the configuration file. Emerson DeltaV is a digital automation system from Emerson, USA. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. Emerson DeltaV has a security bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Emerson DeltaV versions 10.3.1, 11.3, 11.3.1, and 12.3 are vulnerable. DeltaV Versions 10.3.1, 11.3, 11.3.1, and 12.3 Can be related to Emerson AMS Device Management version, Emerson AMS Wireless SNAP-ON also. CVE-2014-2349 - World writable system folder CVE-2014-2350 - Hardcoded credentials Please find fixes in KBA NK-1400-0031. Kudos: Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov and Timur Yunusov http://www.scadastrangelove.blogspot.com/2014/05/emerson-deltav-vulnerabilitiesfixes.html
VAR-201405-0585 No CVE D-Link DSP-W215 Wi-Fi Smart Plugin 'my_cgi.cgi' Remote Buffer Overflow Vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The D-LinkDSP-W215 Wi-Fi smart plugin 'my_cgi.cgi' has a remote buffer overflow vulnerability that fails to properly validate user input when the POST request processes values. D-Link DSP-W215 is a Wi-Fi smart socket product from D-Link. A stack-based buffer overflow vulnerability exists in D-Link DSP-W215. An attacker could use this vulnerability to execute arbitrary code in the context of an affected device. It may also cause a denial of service. Failed exploit attempts will likely result in denial-of-service conditions
VAR-201405-0361 CVE-2014-3266 Cisco Security Manager of Web Cross-site scripting vulnerability in the framework CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the web framework in Cisco Security Manager 4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun65189. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCun65189
VAR-201405-0281 CVE-2014-2350 Emerson DeltaV Vulnerable to access restrictions CVSS V2: 7.5
CVSS V3: -
Severity: LOW
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program. Emerson DeltaV is a digital automation system from Emerson, USA. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. Emerson DeltaV has a security bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable application. Emerson DeltaV versions 10.3.1, 11.3, 11.3.1, and 12.3 are vulnerable. DeltaV Versions 10.3.1, 11.3, 11.3.1, and 12.3 Can be related to Emerson AMS Device Management version, Emerson AMS Wireless SNAP-ON also. CVE-2014-2349 - World writable system folder CVE-2014-2350 - Hardcoded credentials Please find fixes in KBA NK-1400-0031. Kudos: Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov and Timur Yunusov http://www.scadastrangelove.blogspot.com/2014/05/emerson-deltav-vulnerabilitiesfixes.html
VAR-201405-0589 No CVE Multiple Cross-Site Request Forgery Vulnerabilities in Binatone DT 850W Wireless Router CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
The Binatone DT 850W Wireless Router has multiple cross-site request forgery vulnerabilities that allow remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context. Such as changing the WIFI password, managing passwords, etc. Binatone DT 850W wireless router is a wireless router product from India's Binatone. A cross-site request forgery vulnerability exists in the Binatone DT 850W wireless router running T6W-A1.005 and earlier firmware. A remote attacker could use this vulnerability to perform administrator actions to control the affected device. Binatone DT 850W running firmware versions T6W-A1.005 and prior are vulnerable; other versions may also be affected
VAR-201405-0055 CVE-2013-1191 Nexus 7000 Runs on the device Cisco NX-OS Vulnerability gained in CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Cisco NX-OS 6.1 before 6.1(5) on Nexus 7000 devices, when local authentication and multiple VDCs are enabled, allows remote authenticated users to gain privileges within an unintended VDC via crafted SSH key data in an SSH session to a management interface, aka Bug ID CSCud88400. Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. Tampering with the login information of the SSH key file to obtain administrative rights on another VDC. Cisco NX-OS is prone to a remote privilege-escalation vulnerability. This issue is being tracked by Cisco Bug ID CSCud88400. Cisco NX-OS on Nexus 7000 devices is a set of operating systems run by Cisco on Nexus 7000 series devices. An elevation of privilege vulnerability exists in Cisco NX-OS versions 6.1 prior to 6.1(5) on Nexus 7000 devices
VAR-201405-0475 CVE-2014-2200 Cisco NX-OS Virtual Device Context SSH Remote Privilege Escalation Vulnerability CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Cisco NX-OS 5.0 before 5.0(5) on Nexus 7000 devices, when local authentication and multiple VDCs are enabled, allows remote authenticated users to gain privileges within an unintended VDC via an SSH session to a management interface, aka Bug ID CSCti11629. Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. Cisco NX-OS is prone to a remote privilege-escalation vulnerability. This issue is being tracked by Cisco Bug ID CSCti11629. Cisco NX-OS on Nexus 7000 devices is a set of operating systems run by Cisco on Nexus 7000 series devices. An elevation of privilege vulnerability exists in Cisco NX-OS 5.0 prior to 5.0(5) on Nexus 7000 devices
VAR-201405-0476 CVE-2014-2201 Cisco MDS 9000 Device and Nexus 7000 Runs on the device Cisco NX-OS of MTS Service disruption in (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
The Message Transfer Service (MTS) in Cisco NX-OS before 6.2(7) on MDS 9000 devices and 6.0 before 6.0(2) on Nexus 7000 devices allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a large volume of crafted traffic, aka Bug ID CSCtw98915. Vendors have confirmed this vulnerability Bug ID CSCtw98915 It is released as.By a third party Through heavy traffic, (NULL Pointer dereference and kernel panic ) There is a possibility of being put into a state. Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. This vulnerability is caused by a null pointer indirect reference that occurs when the affected device is under heavy load. The kernel crashes. Cisco NX-OS is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCtw98915. Both Cisco NX-OS on MDS 9000 devices and on Nexus 7000 devices are operating systems of Cisco. The former runs on MDS 9000 series devices; the latter runs on Nexus 7000 series devices