Red Hat 7: RHSA-2014:1034-01 Low: Tomcat XML Parsing Issue

Updated tomcat packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security [More...]

====================================================================                   Red Hat Security Advisory

Synopsis:          Low: tomcat security update
Advisory ID:       RHSA-2014:1034-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2014:1034.html
Issue date:        2014-08-07
CVE Names:         CVE-2014-0119 
====================================================================
1. Summary:

Updated tomcat packages that fix one security issue are now available for
Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch
Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by Apache Tomcat
to process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same Apache Tomcat instance. (CVE-2014-0119)

All Tomcat users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. Tomcat must be restarted
for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
tomcat-7.0.42-8.el7_0.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
tomcat-7.0.42-8.el7_0.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
tomcat-7.0.42-8.el7_0.src.rpm

noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
tomcat-7.0.42-8.el7_0.src.rpm

noarch:
tomcat-7.0.42-8.el7_0.noarch.rpm
tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm
tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm
tomcat-lib-7.0.42-8.el7_0.noarch.rpm
tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
tomcat-webapps-7.0.42-8.el7_0.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm
tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm
tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://access.redhat.com/security/cve/CVE-2014-0119
https://access.redhat.com/security/updates/classification/#low
https://tomcat.apache.org/security-6.html

8. Contact:

The Red Hat security contact is .  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.

Red Hat 7: RHSA-2014:1034-01 Low: Tomcat XML Parsing Issue

red hat

August 7, 2014

Updated tomcat packages that fix one security issue are now available for Red Hat Enterprise Linux 7

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

Summary

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance. (CVE-2014-0119)
All Tomcat users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Tomcat must be restarted for this update to take effect.

Topics Covered

security advisory security update web application low severity red hat enterprise apache tomcat xml parsing

References

https://access.redhat.com/security/cve/CVE-2014-0119 https://access.redhat.com/security/updates/classification/#low https://tomcat.apache.org/security-6.html

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: tomcat-7.0.42-8.el7_0.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm tomcat-lib-7.0.42-8.el7_0.noarch.rpm tomcat-webapps-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: tomcat-7.0.42-8.el7_0.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-8.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-javadoc-7.0.42-8.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-8.el7_0.noarch.rpm tomcat-jsvc-7.0.42-8.el7_0.noarch.rpm tomcat-lib-7.0.42-8.el7_0.noarch.rpm tomcat-webapps-7.0.42-8.el7_0.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: tomcat-7.0.42-8.el7_0.src.rpm
noarch: tomcat-7.0.42-8.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-8.el7_0.noarch.rpm

Read the Full Advisory

Severity

low

Lowest

Low

Medium

High

Critical

Advisory ID: RHSA-2014:1034-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2014:1034.html

Issue date: 2014-08-07

Topic

Updated tomcat packages that fix one security issue are now available forRed Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having Low securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.

Topics Covered

security advisory security update web application low severity red hat enterprise apache tomcat xml parsing

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - noarch

Red Hat Enterprise Linux Client Optional (v. 7) - noarch

Red Hat Enterprise Linux ComputeNode (v. 7) - noarch

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch

Red Hat Enterprise Linux Server (v. 7) - noarch

Red Hat Enterprise Linux Server Optional (v. 7) - noarch

Red Hat Enterprise Linux Workstation (v. 7) - noarch

Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

Bugs Fixed

1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Red Hat 7: RHSA-2014:1034-01 Low: Tomcat XML Parsing Issue

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Red Hat 7: RHSA-2014:1034-01 Low: Tomcat XML Parsing Issue

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Red Hat 7: RHSA-2014:1034-01 Low: Tomcat XML Parsing Issue

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Red Hat 7: RHSA-2014:1034-01 Low: Tomcat XML Parsing Issue

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!