VARIoT IoT vulnerabilities database
| VAR-201406-0153 | CVE-2014-4159 | SAP Supplier Relationship Management Open redirect vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. Other attacks are possible
| VAR-201405-0543 | CVE-2014-0075 | Apache Tomcat CVE-2014-0075 Chunk Request Remote Denial Of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. Apache Tomcat is prone to a remote denial-of-service vulnerability because it fails to properly bounds check user-supplied input.
An attacker can exploit this issue to cause denial-of-service conditions; denying service to legitimate users.
The following versions are vulnerable:
Apache Tomcat 8.0.0-RC1 to 8.0.3
Apache Tomcat 7.0.0 to 7.0.52
Apache Tomcat 6.0.0 to 6.0.39. Description:
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan. It includes various bug fixes and
enhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0
Release Notes. (CVE-2014-0099)
It was found that the security audit functionality, provided by Red Hat
JBoss Data Grid, logged request parameters in plain text. This may have
caused passwords to be included in the audit log files when using BASIC or
FORM-based authentication. A local attacker with access to audit log files
could possibly use this flaw to obtain application or server authentication
credentials. Refer to the Solution section of this advisory for additional
information on the fix for this issue. (CVE-2014-0096)
It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Data Grid installation.
The provided patch to fix CVE-2014-0058 also allows greater control over
which of the following components of web requests are captured in audit
logs:
- - parameters
- - cookies
- - headers
- - attributes
It is also possible to selectively mask some elements of headers,
parameters, cookies, and attributes using masks. This capability is
provided by two system properties, which are introduced by this patch:
1) org.jboss.security.web.audit
Description:
This property controls the granularity of the security auditing of web
requests.
Possible values:
off = Disables auditing of web requests
headers = Audits only the headers of web requests
cookies = Audits only the cookies of web requests
parameters = Audits only the parameters of web requests
attributes = Audits only the attributes of web requests
headers,cookies,parameters = Audits the headers, cookies, and parameters of
web requests
headers,cookies = Audits the headers and cookies of web requests
Default Value:
headers, parameters
Examples:
Setting "org.jboss.security.web.audit=off" disables security auditing of
web requests entirely.
Setting "org.jboss.security.web.audit=headers" enables security auditing of
only headers in web requests.
2) org.jboss.security.web.audit.mask
Description:
This property can be used to specify a list of strings to be matched
against headers, parameters, cookies, and attributes of web requests.
Any element matching the specified masks will be excluded from security
audit logging.
Possible values:
Any comma separated string indicating keys of headers, parameters, cookies,
and attributes.
Default Value:
j_password, authorization
Note that currently the matching of the masks is fuzzy rather than strict.
For example, a mask of "authorization" will mask both the header called
authorization and the parameter called "custom_authorization". A future
release may introduce strict masks. Description:
Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure. It includes various bug fixes, which are listed in the
README file included with the patch files.
The following security issues are also fixed with this release,
descriptions of which can be found on the respective CVE pages linked in
the References section. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: tomcat security update
Advisory ID: RHSA-2014:0827-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0827.html
Issue date: 2014-07-02
CVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099
=====================================================================
1. Summary:
Updated tomcat packages that fix three security issues are now available
for Red Hat Enterprise Linux 7.
The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch
Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
3. Description:
Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
It was discovered that Apache Tomcat did not limit the length of chunk
sizes when using chunked transfer encoding. (CVE-2014-0075)
It was found that Apache Tomcat did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a Tomcat server located
behind a reverse proxy that processed the content length header correctly.
(CVE-2014-0099)
It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in Apache Tomcat allowed the definition of XML External
Entities (XXEs) in provided XSLTs. A malicious application could use this
to circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)
The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.
All Tomcat 7 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. Tomcat must be
restarted for this update to take effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
tomcat-7.0.42-6.el7_0.src.rpm
noarch:
tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
tomcat-7.0.42-6.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm
tomcat-lib-7.0.42-6.el7_0.noarch.rpm
tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
tomcat-7.0.42-6.el7_0.src.rpm
noarch:
tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
tomcat-7.0.42-6.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm
tomcat-lib-7.0.42-6.el7_0.noarch.rpm
tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
tomcat-7.0.42-6.el7_0.src.rpm
noarch:
tomcat-7.0.42-6.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-lib-7.0.42-6.el7_0.noarch.rpm
tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm
tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
tomcat-7.0.42-6.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm
tomcat-lib-7.0.42-6.el7_0.noarch.rpm
tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
tomcat-7.0.42-6.el7_0.src.rpm
noarch:
tomcat-7.0.42-6.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm
tomcat-lib-7.0.42-6.el7_0.noarch.rpm
tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm
tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0096.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://access.redhat.com/security/updates/classification/#moderate
http://tomcat.apache.org/security-7.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTs8+9XlSAg2UNWIIRAglqAJ4sw3DT+V4pFReZSRvkoW+f90gxdgCdFn5e
bVOeybWcY1fm+xgpnE7T2ZM=
=O2as
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. This
enabled a denial of service attack.
Mitigation:
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
(8.0.4 contains the fix but was not released)
- Upgrade to Apache Tomcat 7.0.53 or later
- Upgrade to Apache Tomcat 6.0.41 or later
(6.0.40 contains the fix but was not released)
Credit:
This issue was reported to the Tomcat security team by David Jorm of the
Red Hat Security Response Team. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:052
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : tomcat
Date : March 3, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated tomcat packages fix security vulnerabilities:
Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP
connector is used, does not properly handle certain inconsistent HTTP
request headers, which allows remote attackers to trigger incorrect
identification of a request's length and conduct request-smuggling
attacks via (1) multiple Content-Length headers or (2) a Content-Length
header and a Transfer-Encoding: chunked header (CVE-2013-4286).
java/org/apache/catalina/servlets/DefaultServlet.java in the default
servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not
properly restrict XSLT stylesheets, which allows remote attackers
to bypass security-manager restrictions and read arbitrary files
via a crafted web application that provides an XML external entity
declaration in conjunction with an entity reference, related to an
XML External Entity (XXE) issue (CVE-2014-0096). The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS
NzlDtJatpPDeZdZ4nlO1fgg=
=NWBY
-----END PGP SIGNATURE-----
. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications.
For the oldstable distribution (wheezy), these problems have been fixed
in version 6.0.45+dfsg-1~deb7u1.
This update also fixes the following bugs:
* The patch that resolved the CVE-2014-0050 issue contained redundant code.
This update removes the redundant code. (BZ#1094528)
* The patch that resolved the CVE-2013-4322 issue contained an invalid
check that triggered a java.io.EOFException while reading trailer headers
for chunked requests. This update fixes the check and the aforementioned
exception is no longer triggered in the described scenario
| VAR-201406-0302 | CVE-2014-3280 | Cisco Unified Communications Domain Manager of VOSS of Web Vulnerability in obtaining important user information in the framework |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain potentially sensitive user information by visiting an unspecified Administration GUI web page, aka Bug IDs CSCun46045 and CSCun46116.
Attackers can exploit this issue to retrieve sensitive information. Information harvested may aid in launching further attacks.
This issue is tracked by Cisco Bug IDs CSCun46045 and CSCun46116. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201405-0350 | CVE-2014-3277 | Cisco Unified Communications Domain Manager of VOSS Vulnerable to obtaining important user and group information |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain sensitive user and group information by leveraging Location Administrator privileges and entering a crafted URL, aka Bug ID CSCum77005. Cisco Unified Communications Domain Manager is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to retrieve sensitive information. Information harvested may aid in launching further attacks.
This issue is tracked by Cisco Bug ID CSCum77005. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201405-0352 | CVE-2014-3282 | Cisco Unified Communications Domain Manager of VOSS of Web Vulnerability in obtaining important number conversion information in the framework |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain sensitive number-translation information by leveraging Location Administrator privileges and entering a crafted URL, aka Bug ID CSCum76930. Vendors have confirmed this vulnerability Bug ID CSCum76930 It is released as.By a remotely authenticated user Location Administrator Authorized and crafted URL , You may get important number translation information. Cisco Unified Communications Domain Manager is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to retrieve sensitive information like Admin number translation. Information harvested may aid in launching further attacks.
This issue is tracked by Cisco Bug ID CSCum76930. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201405-0353 | CVE-2014-3283 | Cisco Unified Communications Domain Manager of VOSS of Web Open redirect vulnerability in the framework |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in Self-Care Client Portal applications in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL, aka Bug ID CSCun79731. Vendors have confirmed this vulnerability Bug ID CSCun79731 It is released as. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. http://cwe.mitre.org/data/definitions/601.htmlSkillfully crafted by a third party URL Any user through Web You may be redirected to a site and run a phishing attack.
An attacker can leverage this issue to conduct phishing attacks; other attacks are possible. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201405-0351 | CVE-2014-3279 | Cisco Unified Communications Domain Manager of VOSS of Web Vulnerability in enumerating account names in the framework |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote attackers to enumerate account names via a crafted URL, aka Bug IDs CSCun39631 and CSCun39643. Vendors have confirmed this vulnerability Bug ID CSCun39631 and CSCun39643 It is released as.Skillfully crafted by a third party URL Account names may be enumerated via. Cisco Unified Communications Domain Manager is prone to a user-enumeration vulnerability.
An attacker may leverage this issue to harvest valid user accounts, which may aid in brute-force attacks.
This issue being tracked by Cisco Bug IDs CSCun39631 and CSCun39643. This component features scalable, distributed, and highly available enterprise Voice over IP call processing. A remote attacker could use a specially crafted URL to exploit this vulnerability to enumerate user accounts
| VAR-201405-0541 | CVE-2014-0099 | Apache Tomcat Digital error vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. Apache Tomcat is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
The following versions are vulnerable:
Apache Tomcat 8.0.0-RC1 to 8.0.3
Apache Tomcat 7.0.0 to 7.0.52
Apache Tomcat 6.0.0 to 6.0.39.
Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding
without properly handling (1) a large total amount of chunked data or
(2) whitespace characters in an HTTP header value within a trailer
field, which allows remote attackers to cause a denial of service by
streaming data (CVE-2013-4322).
java/org/apache/catalina/servlets/DefaultServlet.java in the default
servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not
properly restrict XSLT stylesheets, which allows remote attackers
to bypass security-manager restrictions and read arbitrary files
via a crafted web application that provides an XML external entity
declaration in conjunction with an entity reference, related to an
XML External Entity (XXE) issue (CVE-2014-0096).
In Apache Tomcat 7.x before 7.0.55, it was possible to craft a
malformed chunk as part of a chunked request that caused Tomcat to
read part of the request body as a new request (CVE-2014-0227). The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFl05mqjQ0CJFipgRAniKAKC/MpUAj48M/7CzWXB4hv87uo99lwCg4Em4
9yRzhuJFw0DWd+dOc4antEU=
=SHMh
-----END PGP SIGNATURE-----
. Description:
Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems-such as multiple databases, XML
files, and even Hadoop systems-appear as a set of tables in a local
database.
This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data
Virtualization 6.0.0. It includes various bug fixes, which are listed in
the README file included with the patch files.
The following security issues are also fixed with this release,
descriptions of which can be found on the respective CVE pages linked in
the References section. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
Advisory ID: RHSA-2014:0843-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0843.html
Issue date: 2014-07-07
CVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099
CVE-2014-0119
=====================================================================
1. Summary:
Updated Red Hat JBoss Enterprise Application Platform 6.2.4 packages that
fix multiple security issues are now available for Red Hat Enterprise Linux
5 and 6.
The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server - noarch
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server - noarch
3. Description:
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)
It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. (CVE-2014-0099)
It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External Entities
(XXEs) in provided XSLTs. A malicious application could use this to
circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)
It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. (CVE-2014-0119)
The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.
All users of Red Hat JBoss Enterprise Application Platform 6.2.4 on Red Hat
Enterprise Linux 5 and 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
6. Package List:
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server:
Source:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.src.rpm
noarch:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.noarch.rpm
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server:
Source:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.src.rpm
noarch:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0096.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://www.redhat.com/security/data/cve/CVE-2014-0119.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTurZGXlSAg2UNWIIRAjQuAJ9G3FrmmxQq8xNK5ngLTL/E35dXQgCdFTvu
rNpjwHEU4w/Fa4I/WyPuVh0=
=tXq5
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Solution:
The References section of this erratum contains a download link (you must
log in to download the update).
This update also fixes the following bug:
The tomcat6-lib-6.0.37-19_patch_04.ep6.el5 package, provided as a
dependency of Red Hat JBoss Web Server 2.0.1, included a build of
commons-dbcp.jar that used an incorrect java package name, causing
applications using this dependency to not function properly. With this
update, the java package name has been corrected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04223376
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04223376
Version: 1
HPSBUX03102 SSRT101681 rev.1 - HP-UX Apache Server Suite running Apache
Tomcat or PHP, Remote Execution of Arbitrary Code and Denial of Service (DoS)
and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-09-04
Last Updated: 2014-09-04
Potential Security Impact: Remote execution of arbitrary code, Denial of
Service (DoS), and other vulnerabilities. These vulnerabilities could
be exploited remotely to execute arbitrary code, create a Denial of Service
(DoS), or other vulnerabilities.
References:
CVE-2013-6438 - Tomcat: remote Denial of Service (DoS)
CVE-2014-0075 - Tomcat: remote Denial of Service (DoS)
CVE-2014-0096 - Tomcat: remote bypass of access restrictions
CVE-2014-0098 - Tomcat: remote Denial of Service (DoS)
CVE-2014-0099 - Tomcat: remote HTTP request smuggling
CVE-2014-0119 - Tomcat: remote file access
CVE-2014-0207 - PHP: remote Denial of Service (DoS)
CVE-2014-3478 - PHP: remote Denial of Service (DoS)
CVE-2014-3479 - PHP: remote Denial of Service (DoS)
CVE-2014-3480 - PHP: remote Denial of Service (DoS)
CVE-2014-3487 - PHP: remote Denial of Service (DoS)
CVE-2014-3515 - PHP: remote execution of arbitrary code
CVE-2014-3981 - PHP: local file access
CVE-2014-4049 - PHP: remote Denial of Service (DoS)
SSRT101681
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.31 running HP-UX Apache Web Server Suite v4.01 or earlier
HP-UX B.11.31 running Tomcat v6.0.39.01 or earlier
HP-UX B.11.31 running PHP v5.4.11.03 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-6438 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-0075 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-0096 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2014-0098 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-0099 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2014-0119 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2014-0207 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-3478 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3479 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-3480 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-3487 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-3515 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-3981 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3
CVE-2014-4049 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software updates to resolve the
vulnerabilities.
The updates are available for download from http://software.hp.com
NOTE: HP-UX Web Server Suite v4.02 HPUXWSATW402 contains Apache v2.2.15.20,
Tomcat Servlet Engine 6.0.39.02, and PHP 5.4.11.04
HP-UX 11i Release
Apache Depot name
B.11.31 (32-bit)
HP_UX_11.31_HPUXWS22ATW-B402-11-31-32-bit.depot
B.11.31 (64-bit)
HP_UX_11.31_HPUXWS22ATW-B402-11-31-64-bit.depot
MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v4.02 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
action: install revision B.2.2.15.20 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 4 September 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners
| VAR-201405-0503 | CVE-2014-0119 | Apache Tomcat Vulnerable to reading arbitrary files |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. Apache Tomcat is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
The following versions are vulnerable:
Apache Tomcat 8.0.0-RC1 to 8.0.3
Apache Tomcat 7.0.0 to 7.0.53
Apache Tomcat 6.0.0 to 6.0.39. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:052
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : tomcat
Date : March 3, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated tomcat packages fix security vulnerabilities:
Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP
connector is used, does not properly handle certain inconsistent HTTP
request headers, which allows remote attackers to trigger incorrect
identification of a request's length and conduct request-smuggling
attacks via (1) multiple Content-Length headers or (2) a Content-Length
header and a Transfer-Encoding: chunked header (CVE-2013-4286).
Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding
without properly handling (1) a large total amount of chunked data or
(2) whitespace characters in an HTTP header value within a trailer
field, which allows remote attackers to cause a denial of service by
streaming data (CVE-2013-4322).
Integer overflow in the parseChunkHeader function in
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in
Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote
attackers to cause a denial of service (resource consumption) via a
malformed chunk size in chunked transfer coding of a request during
the streaming of data (CVE-2014-0075).
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in
Apache Tomcat before 6.0.40 and 7.x before 7.0.53, when operated
behind a reverse proxy, allows remote attackers to conduct HTTP
request smuggling attacks via a crafted Content-Length HTTP header
(CVE-2014-0099).
In Apache Tomcat 7.x before 7.0.55, it was possible to craft a
malformed chunk as part of a chunked request that caused Tomcat to
read part of the request body as a new request (CVE-2014-0227). The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS
NzlDtJatpPDeZdZ4nlO1fgg=
=NWBY
-----END PGP SIGNATURE-----
.
Release Date: 2015-10-15
Last Updated: 2015-10-15
Potential Security Impact: Remote multiple vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP OpenVMS
CSWS_JAVA running Tomcat. These vulnerabilities could be exploited remotely
to create a Denial of Service (DoS) and other impacts.
References:
CVE-2013-4286
CVE-2013-4322
CVE-2013-4444
CVE-2013-4590
CVE-2014-0075
CVE-2014-0096
CVE-2014-0099
CVE-2014-0119
CVE-2014-0230
CVE-2014-0277
SSRT101975
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenVMS CSWS_JAVA v7.0.29 Tomcat
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-4286 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8
CVE-2013-4322 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2013-4444 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2013-4590 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2014-0075 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-0096 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2014-0099 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2014-0119 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2014-0230 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
CVE-2014-0277 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software update to resolve the vulnerabilities
in HP OpenVMS CSWS_Java.
"Cumulative security patch for vulnerabilities addressed on CSWS_JAVA
v7.0.29"
http://auth-h71000-pro-sitebuilder.houston.hp.com/openvms/products/ips/apac
he/csws_java.html
HISTORY
Version:1 (rev.1) - 15 October 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. Description:
Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems—such as multiple databases, XML
files, and even Hadoop systems—appear as a set of tables in a local
database.
CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname
verification bypass, incomplete CVE-2012-5783 fix
CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname
verification bypass, incomplete CVE-2012-6153 fix
CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP,
8017298)
CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature
DoS Attack
CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of
user-supplied content in outputText tags and EL expressions
CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file
CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding
input filter
CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content
length header
CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web
application
CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation
CVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding
input filter
CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal
Entity (XXE)
CVE-2014-3490 RESTEasy: XXE via parameter entities
CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage
CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics
enforcement of SAML SubjectConfirmation methods
CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider
CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread
state
Red Hat would like to thank James Roper of Typesafe for reporting
CVE-2014-0193, Alexander Papadakis for reporting CVE-2014-3530, and Rune
Steinseth of JProfessionals for reporting CVE-2014-8122. Bugs fixed (https://bugzilla.redhat.com/):
1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298)
1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
1063642 - CVE-2014-0059 JBossSX/PicketBox: World readable audit.log file
1065139 - CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of user-supplied content in outputText tags and EL expressions
1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
1092783 - CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
1105242 - CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE)
1107901 - CVE-2014-3490 RESTEasy: XXE via parameter entities
1109196 - CVE-2014-0227 Tomcat/JBossWeb: request smuggling andl imited DoS in ChunkedInputFilter
1112987 - CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage
1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix
1157304 - CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods
1165328 - CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider
1169237 - CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread state
5. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications.
This release serves as a replacement for Red Hat JBoss Web Server 2.0.1,
and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.0
Release Notes, linked to in the References section, for information on the
most significant of these changes.
The following security issues are also fixed with this release:
A race condition flaw, leading to heap-based buffer overflows, was found in
the mod_status httpd module. A remote attacker able to access a status page
served by mod_status on a server using a threaded Multi-Processing Module
(MPM) could send a specially crafted request that would cause the httpd
child process to crash or, possibly, allow the attacker to execute
arbitrary code with the privileges of the "apache" user. (CVE-2014-0226)
A denial of service flaw was found in the way httpd's mod_deflate module
handled request body decompression (configured via the "DEFLATE" input
filter). A remote attacker able to send a request whose body would be
decompressed could use this flaw to consume an excessive amount of system
memory and CPU on the target system. (CVE-2014-0118)
A denial of service flaw was found in the way OpenSSL handled certain DTLS
ServerHello requests. A specially crafted DTLS handshake packet could cause
a DTLS client using OpenSSL to crash. (CVE-2014-0221)
Note: This update provides a fix for the CVE-2014-0221 issue in openssl
packages for Solaris and Microsoft Windows.
A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input.
A remote attacker could submit a specially crafted request that would cause
the httpd child process to hang indefinitely. Note that this flaw only affected deployments in which Tomcat
is running applications from untrusted sources, such as in a shared hosting
environment. (CVE-2014-0119)
Red Hat would like to thank the OpenSSL project for reporting
CVE-2014-0221. Upstream acknowledges Imre Rad of Search-Lab as the original
reporter of this issue. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Low: tomcat security update
Advisory ID: RHSA-2014:1034-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1034.html
Issue date: 2014-08-07
CVE Names: CVE-2014-0119
=====================================================================
1. Summary:
Updated tomcat packages that fix one security issue are now available for
Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch
Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
3. Description:
Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by Apache Tomcat
to process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. (CVE-2014-0119)
All Tomcat users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. Tomcat must be restarted
for this update to take effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
tomcat-7.0.42-8.el7_0.src.rpm
noarch:
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
tomcat-7.0.42-8.el7_0.src.rpm
noarch:
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
tomcat-7.0.42-8.el7_0.src.rpm
noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
tomcat-7.0.42-8.el7_0.src.rpm
noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-0119.html
https://access.redhat.com/security/updates/classification/#low
https://tomcat.apache.org/security-6.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFT48kzXlSAg2UNWIIRAn20AJ45q0idrnczXGHkJjgcnQXoIPYEzACeIU3N
3PDa2mjEuz2Ww24Y4dDqTO0=
=SQSl
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201405-0648 | CVE-2014-1191 | Cisco NX-OS Virtual Device Context SSH Key Remote Privilege Escalation Vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. After a Cisco NX-OS device has multiple VDCs on the system and is configured with local authentication, there is a remote privilege elevation vulnerability in the implementation that allows an authenticated remote attacker to exploit the vulnerability through the SSH access management interface of the affected device. Tampering with the login information of the SSH key file to obtain administrative rights on another VDC.
| VAR-201405-0354 | CVE-2014-3284 | Cisco IOS XE Software PPPoE Packet Handling Denial of Service Vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Cisco IOS XE on ASR1000 devices, when PPPoE termination is enabled, allows remote attackers to cause a denial of service (device reload) via a malformed PPPoE packet, aka Bug ID CSCuo55180. Vendors have confirmed this vulnerability Bug ID CSCuo55180 It is released as.Malformed by a third party PPPoE Service disruption via packets ( Device reload ) There is a possibility of being put into a state. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
Attackers can exploit this issue to cause the affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuo55180
| VAR-201406-0156 | CVE-2014-4162 | Zyxel P-660HW-T1 Cross-site request forgery vulnerability in wireless router |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1. The Zyxel P-660HW-T1 is a wireless router device. Zyxel P-660HW-T1 is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
Zyxel P-660HW-T1 v3 is vulnerable; other versions may also be vulnerable
| VAR-201405-0280 | CVE-2014-2349 | Emerson DeltaV '\DeltaV' Directory Authorization Security Bypass Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program. Emerson DeltaV Contains vulnerabilities that modify or read configuration files.Engineering level authorization by local user (engineering-level privilege) May be used to modify or read the configuration file. Emerson DeltaV is a digital automation system from Emerson, USA. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. Emerson DeltaV has a security bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.
Emerson DeltaV versions 10.3.1, 11.3, 11.3.1, and 12.3 are vulnerable. DeltaV Versions 10.3.1, 11.3, 11.3.1, and 12.3
Can be related to Emerson AMS Device Management version, Emerson AMS
Wireless SNAP-ON also.
CVE-2014-2349 - World writable system folder
CVE-2014-2350 - Hardcoded credentials
Please find fixes in KBA NK-1400-0031.
Kudos: Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov
and Timur Yunusov
http://www.scadastrangelove.blogspot.com/2014/05/emerson-deltav-vulnerabilitiesfixes.html
| VAR-201405-0585 | No CVE | D-Link DSP-W215 Wi-Fi Smart Plugin 'my_cgi.cgi' Remote Buffer Overflow Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The D-LinkDSP-W215 Wi-Fi smart plugin 'my_cgi.cgi' has a remote buffer overflow vulnerability that fails to properly validate user input when the POST request processes values. D-Link DSP-W215 is a Wi-Fi smart socket product from D-Link.
A stack-based buffer overflow vulnerability exists in D-Link DSP-W215. An attacker could use this vulnerability to execute arbitrary code in the context of an affected device. It may also cause a denial of service. Failed exploit attempts will likely result in denial-of-service conditions
| VAR-201405-0361 | CVE-2014-3266 | Cisco Security Manager of Web Cross-site scripting vulnerability in the framework |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web framework in Cisco Security Manager 4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun65189.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCun65189
| VAR-201405-0281 | CVE-2014-2350 | Emerson DeltaV Vulnerable to access restrictions |
CVSS V2: 7.5 CVSS V3: - Severity: LOW |
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program. Emerson DeltaV is a digital automation system from Emerson, USA. The system provides I/O on-demand configuration, embedded intelligent control and alarm panel functions. Emerson DeltaV has a security bypass vulnerability.
Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable application.
Emerson DeltaV versions 10.3.1, 11.3, 11.3.1, and 12.3 are vulnerable. DeltaV Versions 10.3.1, 11.3, 11.3.1, and 12.3
Can be related to Emerson AMS Device Management version, Emerson AMS
Wireless SNAP-ON also.
CVE-2014-2349 - World writable system folder
CVE-2014-2350 - Hardcoded credentials
Please find fixes in KBA NK-1400-0031.
Kudos: Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov
and Timur Yunusov
http://www.scadastrangelove.blogspot.com/2014/05/emerson-deltav-vulnerabilitiesfixes.html
| VAR-201405-0589 | No CVE | Multiple Cross-Site Request Forgery Vulnerabilities in Binatone DT 850W Wireless Router |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Binatone DT 850W Wireless Router has multiple cross-site request forgery vulnerabilities that allow remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context. Such as changing the WIFI password, managing passwords, etc. Binatone DT 850W wireless router is a wireless router product from India's Binatone.
A cross-site request forgery vulnerability exists in the Binatone DT 850W wireless router running T6W-A1.005 and earlier firmware. A remote attacker could use this vulnerability to perform administrator actions to control the affected device.
Binatone DT 850W running firmware versions T6W-A1.005 and prior are vulnerable; other versions may also be affected
| VAR-201405-0055 | CVE-2013-1191 | Nexus 7000 Runs on the device Cisco NX-OS Vulnerability gained in |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco NX-OS 6.1 before 6.1(5) on Nexus 7000 devices, when local authentication and multiple VDCs are enabled, allows remote authenticated users to gain privileges within an unintended VDC via crafted SSH key data in an SSH session to a management interface, aka Bug ID CSCud88400. Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. Tampering with the login information of the SSH key file to obtain administrative rights on another VDC. Cisco NX-OS is prone to a remote privilege-escalation vulnerability.
This issue is being tracked by Cisco Bug ID CSCud88400. Cisco NX-OS on Nexus 7000 devices is a set of operating systems run by Cisco on Nexus 7000 series devices. An elevation of privilege vulnerability exists in Cisco NX-OS versions 6.1 prior to 6.1(5) on Nexus 7000 devices
| VAR-201405-0475 | CVE-2014-2200 | Cisco NX-OS Virtual Device Context SSH Remote Privilege Escalation Vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco NX-OS 5.0 before 5.0(5) on Nexus 7000 devices, when local authentication and multiple VDCs are enabled, allows remote authenticated users to gain privileges within an unintended VDC via an SSH session to a management interface, aka Bug ID CSCti11629. Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. Cisco NX-OS is prone to a remote privilege-escalation vulnerability.
This issue is being tracked by Cisco Bug ID CSCti11629. Cisco NX-OS on Nexus 7000 devices is a set of operating systems run by Cisco on Nexus 7000 series devices. An elevation of privilege vulnerability exists in Cisco NX-OS 5.0 prior to 5.0(5) on Nexus 7000 devices
| VAR-201405-0476 | CVE-2014-2201 | Cisco MDS 9000 Device and Nexus 7000 Runs on the device Cisco NX-OS of MTS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Message Transfer Service (MTS) in Cisco NX-OS before 6.2(7) on MDS 9000 devices and 6.0 before 6.0(2) on Nexus 7000 devices allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a large volume of crafted traffic, aka Bug ID CSCtw98915. Vendors have confirmed this vulnerability Bug ID CSCtw98915 It is released as.By a third party Through heavy traffic, (NULL Pointer dereference and kernel panic ) There is a possibility of being put into a state. Cisco NX-OS is a data center-class operating system that embodies modular design, resiliency, and maintainability. This vulnerability is caused by a null pointer indirect reference that occurs when the affected device is under heavy load. The kernel crashes. Cisco NX-OS is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions.
This issue is being tracked by Cisco Bug ID CSCtw98915. Both Cisco NX-OS on MDS 9000 devices and on Nexus 7000 devices are operating systems of Cisco. The former runs on MDS 9000 series devices; the latter runs on Nexus 7000 series devices