Rapid7 Vulnerability & Exploit Database

RHSA-2014:1034: tomcat security update

Back to Search

RHSA-2014:1034: tomcat security update

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
05/31/2014
Created
07/25/2018
Added
09/24/2014
Modified
07/04/2017

Description

Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.It was found that, in certain circumstances, it was possible for amalicious web application to replace the XML parsers used by Apache Tomcatto process XSLTs for the default servlet, JSP documents, tag librarydescriptors (TLDs), and tag plug-in configuration files. The injected XMLparser(s) could then bypass the limits imposed on XML external entitiesand/or gain access to the XML files processed for other web applicationsdeployed on the same Apache Tomcat instance. (CVE-2014-0119)All Tomcat users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. Tomcat must be restartedfor this update to take effect.

Solution(s)

  • redhat-upgrade-tomcat
  • redhat-upgrade-tomcat-admin-webapps
  • redhat-upgrade-tomcat-docs-webapp
  • redhat-upgrade-tomcat-el-2-2-api
  • redhat-upgrade-tomcat-javadoc
  • redhat-upgrade-tomcat-jsp-2-2-api
  • redhat-upgrade-tomcat-jsvc
  • redhat-upgrade-tomcat-lib
  • redhat-upgrade-tomcat-servlet-3-0-api
  • redhat-upgrade-tomcat-webapps

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;