Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 511762 (CVE-2014-0075)

Summary: <www-servers/tomcat-{6.0.41,7.0.56}: Multiple Vulnerabilities (CVE-2014-{0075,0096,0099,0119})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://tomcat.apache.org/security-7.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 519590    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2014-05-29 07:54:55 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1102038:

It was found that in limited circumstances it was possible for a malicious web application to replace the 
XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library 
descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the 
limits imposed on XML external entities and/or have visibility of the XML files processed for other web 
applications deployed on the same Tomcat instance.

Tomcat 6 fix (3 patches): 

http://svn.apache.org/viewvc?view=revision&revision=1589640
http://svn.apache.org/viewvc?view=revision&revision=1593815
http://svn.apache.org/viewvc?view=revision&revision=1593821

Tomcat 7 fix (4 patches):

http://svn.apache.org/viewvc?view=revision&revision=1588199
http://svn.apache.org/viewvc?view=revision&revision=1589997
http://svn.apache.org/viewvc?view=revision&revision=1590028
http://svn.apache.org/viewvc?view=revision&revision=1590036




From https://bugzilla.redhat.com/show_bug.cgi?id=1102030:

It was found that the code used to parse the request content length header did not check for overflow in 
the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy 
that correctly processed the content length header.

Tomcat 6 fix: http://svn.apache.org/viewvc?view=revision&revision=1580473

Tomcat 7 fix: http://svn.apache.org/viewvc?view=revision&revision=1578814


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-07-17 03:32:50 UTC 
Adding some more vulnerabilities and CVE's. 

Fixed in following versions as per URL upstream:
http://tomcat.apache.org/security-7.html

Fixed in Apache Tomcat 7.0.53
CVE-2014-0075, CVE-2014-0096, CVE-2014-0099


Fixed in Apache Tomcat 7.0.54
CVE-2014-0119

Maintainer(s): after the bump please let us know when the ebuild is ready for  stabilization.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-07-22 12:30:40 UTC 
CVE-2014-0119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0119):
  Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does
  not properly constrain the class loader that accesses the XML parser used
  with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary
  files via a crafted web application that provides an XML external entity
  declaration in conjunction with an entity reference, related to an XML
  External Entity (XXE) issue, or (2) read files associated with different web
  applications on a single Tomcat instance via a crafted web application.

CVE-2014-0099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0099):
  Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache
  Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated
  behind a reverse proxy, allows remote attackers to conduct HTTP request
  smuggling attacks via a crafted Content-Length HTTP header.

CVE-2014-0096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0096):
  java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet
  in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does
  not properly restrict XSLT stylesheets, which allows remote attackers to
  bypass security-manager restrictions and read arbitrary files via a crafted
  web application that provides an XML external entity declaration in
  conjunction with an entity reference, related to an XML External Entity
  (XXE) issue.

CVE-2014-0075 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0075):
  Integer overflow in the parseChunkHeader function in
  java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache
  Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote
  attackers to cause a denial of service (resource consumption) via a
  malformed chunk size in chunked transfer coding of a request during the
  streaming of data.
Comment 3 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2014-11-02 10:23:15 UTC 
Just committed tomcat-6.0.41 and tomcat-7.0.56.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 00:45:24 UTC 
This issue was resolved and addressed in
 GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml
by GLSA coordinator Sean Amoss (ackle).