exploit the possibilities

Red Hat Security Advisory 2014-0843-01

Red Hat Security Advisory 2014-0843-01
Posted Jul 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0843-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that JBoss Web did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web by streaming an unlimited quantity of data, leading to excessive consumption of server resources. It was found that JBoss Web did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web server located behind a reverse proxy that processed the content length header correctly.

tags | advisory, java, remote, web, denial of service, overflow
systems | linux, redhat
advisories | CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119
MD5 | f0f2300e5202316ceb144a9cce5fba6a

Red Hat Security Advisory 2014-0843-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
Advisory ID: RHSA-2014:0843-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0843.html
Issue date: 2014-07-07
CVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099
CVE-2014-0119
=====================================================================

1. Summary:

Updated Red Hat JBoss Enterprise Application Platform 6.2.4 packages that
fix multiple security issues are now available for Red Hat Enterprise Linux
5 and 6.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server - noarch
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)

It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a JBoss Web server
located behind a reverse proxy that processed the content length header
correctly. (CVE-2014-0099)

It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External Entities
(XXEs) in provided XSLTs. A malicious application could use this to
circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)

It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. (CVE-2014-0119)

The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.

All users of Red Hat JBoss Enterprise Application Platform 6.2.4 on Red Hat
Enterprise Linux 5 and 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server:

Source:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.src.rpm

noarch:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.noarch.rpm

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server:

Source:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.src.rpm

noarch:
jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0096.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://www.redhat.com/security/data/cve/CVE-2014-0119.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTurZGXlSAg2UNWIIRAjQuAJ9G3FrmmxQq8xNK5ngLTL/E35dXQgCdFTvu
rNpjwHEU4w/Fa4I/WyPuVh0=
=tXq5
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close