Rapid7 Vulnerability & Exploit Database

RHSA-2014:1038: tomcat6 security update

Back to Search

RHSA-2014:1038: tomcat6 security update



Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.It was found that several application-provided XML files, such as web.xml,content.xml, *.tld, *.tagx, and *.jspx, resolved external entities,permitting XML External Entity (XXE) attacks. An attacker able to deploymalicious applications to Tomcat could use this flaw to circumvent securityrestrictions set by the JSM, and gain access to sensitive information onthe system. Note that this flaw only affected deployments in which Tomcatis running applications from untrusted sources, such as in a shared hostingenvironment. (CVE-2013-4590)It was found that, in certain circumstances, it was possible for amalicious web application to replace the XML parsers used by Apache Tomcatto process XSLTs for the default servlet, JSP documents, tag librarydescriptors (TLDs), and tag plug-in configuration files. The injected XMLparser(s) could then bypass the limits imposed on XML external entitiesand/or gain access to the XML files processed for other web applicationsdeployed on the same Apache Tomcat instance. (CVE-2014-0119)All Tomcat users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. Tomcat must berestarted for this update to take effect.


  • redhat-upgrade-tomcat6
  • redhat-upgrade-tomcat6-admin-webapps
  • redhat-upgrade-tomcat6-docs-webapp
  • redhat-upgrade-tomcat6-el-2-1-api
  • redhat-upgrade-tomcat6-javadoc
  • redhat-upgrade-tomcat6-jsp-2-1-api
  • redhat-upgrade-tomcat6-lib
  • redhat-upgrade-tomcat6-servlet-2-5-api
  • redhat-upgrade-tomcat6-webapps

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center