var-201405-0543
Vulnerability from variot
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: tomcat security update Advisory ID: RHSA-2014:0827-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0827.html Issue date: 2014-07-02 CVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 =====================================================================
- Summary:
Updated tomcat packages that fix three security issues are now available for Red Hat Enterprise Linux 7.
The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
- Description:
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. (CVE-2014-0075)
It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099)
It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096)
The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security.
All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: tomcat-7.0.42-6.el7_0.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: tomcat-7.0.42-6.el7_0.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: tomcat-7.0.42-6.el7_0.src.rpm
noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: tomcat-7.0.42-6.el7_0.src.rpm
noarch: tomcat-7.0.42-6.el7_0.noarch.rpm tomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm tomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm tomcat-lib-7.0.42-6.el7_0.noarch.rpm tomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm tomcat-webapps-7.0.42-6.el7_0.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch: tomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm tomcat-javadoc-7.0.42-6.el7_0.noarch.rpm tomcat-jsvc-7.0.42-6.el7_0.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package
- References:
https://www.redhat.com/security/data/cve/CVE-2014-0075.html https://www.redhat.com/security/data/cve/CVE-2014-0096.html https://www.redhat.com/security/data/cve/CVE-2014-0099.html https://access.redhat.com/security/updates/classification/#moderate http://tomcat.apache.org/security-7.html
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTs8+9XlSAg2UNWIIRAglqAJ4sw3DT+V4pFReZSRvkoW+f90gxdgCdFn5e bVOeybWcY1fm+xgpnE7T2ZM= =O2as -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This enabled a denial of service attack.
Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released)
Credit: This issue was reported to the Tomcat security team by David Jorm of the Red Hat Security Response Team. (CVE-2014-0096)
It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web instance. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mandriva Linux Security Advisory MDVSA-2015:052 http://www.mandriva.com/en/support/security/
Package : tomcat Date : March 3, 2015 Affected: Business Server 1.0
Problem Description:
Updated tomcat packages fix security vulnerabilities:
Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a Transfer-Encoding: chunked header (CVE-2013-4286).
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
iD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS NzlDtJatpPDeZdZ4nlO1fgg= =NWBY -----END PGP SIGNATURE----- . Solution:
The References section of this erratum contains a download link (you must log in to download the update). It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This update also fixes the following bug:
The tomcat6-lib-6.0.37-19_patch_04.ep6.el5 package, provided as a dependency of Red Hat JBoss Web Server 2.0.1, included a build of commons-dbcp.jar that used an incorrect java package name, causing applications using this dependency to not function properly. With this update, the java package name has been corrected.
This update also fixes the following bugs:
-
The patch that resolved the CVE-2014-0050 issue contained redundant code. This update removes the redundant code. (BZ#1094528)
-
The patch that resolved the CVE-2013-4322 issue contained an invalid check that triggered a java.io.EOFException while reading trailer headers for chunked requests. This update fixes the check and the aforementioned exception is no longer triggered in the described scenario. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-29
http://security.gentoo.org/
Severity: Normal Title: Apache Tomcat: Multiple vulnerabilities Date: December 15, 2014 Bugs: #442014, #469434, #500600, #511762, #517630, #519590 ID: 201412-29
Synopsis
Multiple vulnerabilities have been found in Apache Tomcat, the worst of which may result in Denial of Service.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/tomcat < 7.0.56 *>= 6.0.41 >= 7.0.56
Description
Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details.
Impact
A remote attacker may be able to cause a Denial of Service condition as well as obtain sensitive information, bypass protection mechanisms and authentication restrictions.
Workaround
There is no known workaround at this time.
Resolution
All Tomcat 6.0.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.41"
All Tomcat 7.0.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.56"
References
[ 1 ] CVE-2012-2733 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2733 [ 2 ] CVE-2012-3544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544 [ 3 ] CVE-2012-3546 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3546 [ 4 ] CVE-2012-4431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4431 [ 5 ] CVE-2012-4534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4534 [ 6 ] CVE-2012-5885 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5885 [ 7 ] CVE-2012-5886 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5886 [ 8 ] CVE-2012-5887 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5887 [ 9 ] CVE-2013-2067 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067 [ 10 ] CVE-2013-2071 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071 [ 11 ] CVE-2013-4286 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4286 [ 12 ] CVE-2013-4322 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4322 [ 13 ] CVE-2013-4590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4590 [ 14 ] CVE-2014-0033 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033 [ 15 ] CVE-2014-0050 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0050 [ 16 ] CVE-2014-0075 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0075 [ 17 ] CVE-2014-0096 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0096 [ 18 ] CVE-2014-0099 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0099 [ 19 ] CVE-2014-0119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0119
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-29.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201405-0543",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.30"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.37"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.33"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.32"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.35"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.36"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.29"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.31"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "6.0.28"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.9"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.32"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.29"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.48"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.14"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.1"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.15"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.36"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.17"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.20"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.27"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.6"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.14"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.46"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "8.0.0"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.16"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.19"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.10"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.40"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.6"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.17"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.7"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.49"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "8.0.3"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.1"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.21"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.41"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.24"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.4"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.4"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.5"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.18"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.2"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.19"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.12"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.8"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.34"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.44"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.45"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.13"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "8.0.1"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.5"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.7"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.37"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.42"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.11"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.22"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.2"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.26"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.38"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.9"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.0"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.25"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.10"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.35"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.12"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.15"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.16"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.0"
},
{
"model": "tomcat",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.39"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.27"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.43"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.18"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.30"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.39"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.20"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.47"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.24"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.50"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.13"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.8"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.28"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.23"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.3"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.52"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.3"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.11"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.31"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "6.0.26"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.33"
},
{
"model": "fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "of oracle enterprise data quality 9.0.11"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.0.1.2"
},
{
"model": "rational lifecycle integration adapter",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "for hp alm 1.0 to 1.1"
},
{
"model": "virtualization",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "of oracle secure global desktop 4.63"
},
{
"model": "virtualization",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "of oracle secure global desktop 4.71"
},
{
"model": "communications policy management",
"scope": "lte",
"trust": 0.8,
"vendor": "oracle",
"version": "12.1.1 and earlier"
},
{
"model": "rational build forge",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "7.1.2"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.1"
},
{
"model": "jp1/cm2/network node manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "i"
},
{
"model": "tomcat",
"scope": "lt",
"trust": 0.8,
"vendor": "apache",
"version": "7.x"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.0"
},
{
"model": "tomcat",
"scope": "lt",
"trust": 0.8,
"vendor": "apache",
"version": "8.x"
},
{
"model": "communications policy management",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "9.9.1"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.0.1.1"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.0.1.3"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "8.0.4"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.0.1"
},
{
"model": "communications policy management",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "10.4.1"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.0.1.4"
},
{
"model": "jp1/cm2/network node manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "i advanced"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "7.0.53"
},
{
"model": "virtualization",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "of oracle secure global desktop 5.1"
},
{
"model": "communications policy management",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "9.7.3"
},
{
"model": "fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "of oracle enterprise data quality 8.1.2"
},
{
"model": "urbancode release",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.0.0.1"
},
{
"model": "virtualization",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "of oracle secure global desktop 5.0"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "6.0.39"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
},
{
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:apache:tomcat",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:ibm:ibm_urbancode_release",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:ibm:rational_build_forge",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:ibm:rational_lifecycle_integration_adapter",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:oracle:communications_policy_management",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:oracle:fusion_middleware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:oracle:virtualization_secure_global_desktop",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_cm2_network_node_manager",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "127325"
},
{
"db": "PACKETSTORM",
"id": "127367"
},
{
"db": "PACKETSTORM",
"id": "127366"
},
{
"db": "PACKETSTORM",
"id": "127338"
},
{
"db": "PACKETSTORM",
"id": "127335"
},
{
"db": "PACKETSTORM",
"id": "127413"
}
],
"trust": 0.6
},
"cve": "CVE-2014-0075",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2014-0075",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-0075",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2014-0075",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201405-585",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
},
{
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: tomcat security update\nAdvisory ID: RHSA-2014:0827-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2014-0827.html\nIssue date: 2014-07-02\nCVE Names: CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 \n=====================================================================\n\n1. Summary:\n\nUpdated tomcat packages that fix three security issues are now available\nfor Red Hat Enterprise Linux 7. \n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - noarch\nRed Hat Enterprise Linux Client Optional (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch\nRed Hat Enterprise Linux Server (v. 7) - noarch\nRed Hat Enterprise Linux Server Optional (v. 7) - noarch\nRed Hat Enterprise Linux Workstation (v. 7) - noarch\nRed Hat Enterprise Linux Workstation Optional (v. 7) - noarch\n\n3. Description:\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies. (CVE-2014-0075)\n\nIt was found that Apache Tomcat did not check for overflowing values when\nparsing request content length headers. A remote attacker could use this\nflaw to perform an HTTP request smuggling attack on a Tomcat server located\nbehind a reverse proxy that processed the content length header correctly. \n(CVE-2014-0099)\n\nIt was found that the org.apache.catalina.servlets.DefaultServlet\nimplementation in Apache Tomcat allowed the definition of XML External\nEntities (XXEs) in provided XSLTs. A malicious application could use this\nto circumvent intended security restrictions to disclose sensitive\ninformation. (CVE-2014-0096)\n\nThe CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product\nSecurity. \n\nAll Tomcat 7 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter\n1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs\n1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\ntomcat-7.0.42-6.el7_0.src.rpm\n\nnoarch:\ntomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nnoarch:\ntomcat-7.0.42-6.el7_0.noarch.rpm\ntomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm\ntomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm\ntomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-javadoc-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsvc-7.0.42-6.el7_0.noarch.rpm\ntomcat-lib-7.0.42-6.el7_0.noarch.rpm\ntomcat-webapps-7.0.42-6.el7_0.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\ntomcat-7.0.42-6.el7_0.src.rpm\n\nnoarch:\ntomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nnoarch:\ntomcat-7.0.42-6.el7_0.noarch.rpm\ntomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm\ntomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm\ntomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-javadoc-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsvc-7.0.42-6.el7_0.noarch.rpm\ntomcat-lib-7.0.42-6.el7_0.noarch.rpm\ntomcat-webapps-7.0.42-6.el7_0.noarch.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\ntomcat-7.0.42-6.el7_0.src.rpm\n\nnoarch:\ntomcat-7.0.42-6.el7_0.noarch.rpm\ntomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm\ntomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-lib-7.0.42-6.el7_0.noarch.rpm\ntomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-webapps-7.0.42-6.el7_0.noarch.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nnoarch:\ntomcat-7.0.42-6.el7_0.noarch.rpm\ntomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm\ntomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm\ntomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-javadoc-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsvc-7.0.42-6.el7_0.noarch.rpm\ntomcat-lib-7.0.42-6.el7_0.noarch.rpm\ntomcat-webapps-7.0.42-6.el7_0.noarch.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\ntomcat-7.0.42-6.el7_0.src.rpm\n\nnoarch:\ntomcat-7.0.42-6.el7_0.noarch.rpm\ntomcat-admin-webapps-7.0.42-6.el7_0.noarch.rpm\ntomcat-el-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsp-2.2-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-lib-7.0.42-6.el7_0.noarch.rpm\ntomcat-servlet-3.0-api-7.0.42-6.el7_0.noarch.rpm\ntomcat-webapps-7.0.42-6.el7_0.noarch.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nnoarch:\ntomcat-docs-webapp-7.0.42-6.el7_0.noarch.rpm\ntomcat-javadoc-7.0.42-6.el7_0.noarch.rpm\ntomcat-jsvc-7.0.42-6.el7_0.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2014-0075.html\nhttps://www.redhat.com/security/data/cve/CVE-2014-0096.html\nhttps://www.redhat.com/security/data/cve/CVE-2014-0099.html\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttp://tomcat.apache.org/security-7.html\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2014 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFTs8+9XlSAg2UNWIIRAglqAJ4sw3DT+V4pFReZSRvkoW+f90gxdgCdFn5e\nbVOeybWcY1fm+xgpnE7T2ZM=\n=O2as\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. This\nenabled a denial of service attack. \n\nMitigation:\nUsers of affected versions should apply one of the following mitigations\n- Upgrade to Apache Tomcat 8.0.5 or later\n (8.0.4 contains the fix but was not released)\n- Upgrade to Apache Tomcat 7.0.53 or later\n- Upgrade to Apache Tomcat 6.0.41 or later\n (6.0.40 contains the fix but was not released)\n\nCredit:\nThis issue was reported to the Tomcat security team by David Jorm of the\nRed Hat Security Response Team. (CVE-2014-0096)\n\nIt was found that, in certain circumstances, it was possible for a\nmalicious web application to replace the XML parsers used by JBoss Web to\nprocess XSLTs for the default servlet, JSP documents, tag library\ndescriptors (TLDs), and tag plug-in configuration files. The injected XML\nparser(s) could then bypass the limits imposed on XML external entities\nand/or gain access to the XML files processed for other web applications\ndeployed on the same JBoss Web instance. On update,\nthe configuration files that have been locally modified will not be\nupdated. The updated version of such files will be stored as the rpmnew\nfiles. Make sure to locate any such files after the update and merge any\nchanges manually. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n _______________________________________________________________________\n\n Mandriva Linux Security Advisory MDVSA-2015:052\n http://www.mandriva.com/en/support/security/\n _______________________________________________________________________\n\n Package : tomcat\n Date : March 3, 2015\n Affected: Business Server 1.0\n _______________________________________________________________________\n\n Problem Description:\n\n Updated tomcat packages fix security vulnerabilities:\n \n Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP\n connector is used, does not properly handle certain inconsistent HTTP\n request headers, which allows remote attackers to trigger incorrect\n identification of a request\u0026#039;s length and conduct request-smuggling\n attacks via (1) multiple Content-Length headers or (2) a Content-Length\n header and a Transfer-Encoding: chunked header (CVE-2013-4286). \n \n java/org/apache/catalina/servlets/DefaultServlet.java in the default\n servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not\n properly restrict XSLT stylesheets, which allows remote attackers\n to bypass security-manager restrictions and read arbitrary files\n via a crafted web application that provides an XML external entity\n declaration in conjunction with an entity reference, related to an\n XML External Entity (XXE) issue (CVE-2014-0096). The verification\n of md5 checksums and GPG signatures is performed automatically for you. You can obtain the\n GPG public key of the Mandriva Security Team by executing:\n\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\n\n You can view other update advisories for Mandriva Linux at:\n\n http://www.mandriva.com/en/support/security/advisories/\n\n If you want to report vulnerabilities, please contact\n\n security_(at)_mandriva.com\n _______________________________________________________________________\n\n Type Bits/KeyID Date User ID\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\n \u003csecurity*mandriva.com\u003e\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.12 (GNU/Linux)\n\niD8DBQFU9XSSmqjQ0CJFipgRAorsAKDX0BTWLEiMn3+FR9/Xn58Pw7GIMwCfRAbS\nNzlDtJatpPDeZdZ4nlO1fgg=\n=NWBY\n-----END PGP SIGNATURE-----\n. Solution:\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library. \n\nThis update also fixes the following bug:\n\nThe tomcat6-lib-6.0.37-19_patch_04.ep6.el5 package, provided as a\ndependency of Red Hat JBoss Web Server 2.0.1, included a build of\ncommons-dbcp.jar that used an incorrect java package name, causing\napplications using this dependency to not function properly. With this\nupdate, the java package name has been corrected. \n\nThis update also fixes the following bugs:\n\n* The patch that resolved the CVE-2014-0050 issue contained redundant code. \nThis update removes the redundant code. (BZ#1094528)\n\n* The patch that resolved the CVE-2013-4322 issue contained an invalid\ncheck that triggered a java.io.EOFException while reading trailer headers\nfor chunked requests. This update fixes the check and the aforementioned\nexception is no longer triggered in the described scenario. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201412-29\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: Apache Tomcat: Multiple vulnerabilities\n Date: December 15, 2014\n Bugs: #442014, #469434, #500600, #511762, #517630, #519590\n ID: 201412-29\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Apache Tomcat, the worst of\nwhich may result in Denial of Service. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 www-servers/tomcat \u003c 7.0.56 *\u003e= 6.0.41\n \u003e= 7.0.56\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Tomcat. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker may be able to cause a Denial of Service condition as\nwell as obtain sensitive information, bypass protection mechanisms and\nauthentication restrictions. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Tomcat 6.0.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/tomcat-6.0.41\"\n\nAll Tomcat 7.0.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/tomcat-7.0.56\"\n\nReferences\n==========\n\n[ 1 ] CVE-2012-2733\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2733\n[ 2 ] CVE-2012-3544\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3544\n[ 3 ] CVE-2012-3546\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3546\n[ 4 ] CVE-2012-4431\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4431\n[ 5 ] CVE-2012-4534\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4534\n[ 6 ] CVE-2012-5885\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5885\n[ 7 ] CVE-2012-5886\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5886\n[ 8 ] CVE-2012-5887\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5887\n[ 9 ] CVE-2013-2067\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2067\n[ 10 ] CVE-2013-2071\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2071\n[ 11 ] CVE-2013-4286\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4286\n[ 12 ] CVE-2013-4322\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4322\n[ 13 ] CVE-2013-4590\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4590\n[ 14 ] CVE-2014-0033\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0033\n[ 15 ] CVE-2014-0050\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0050\n[ 16 ] CVE-2014-0075\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0075\n[ 17 ] CVE-2014-0096\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0096\n[ 18 ] CVE-2014-0099\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0099\n[ 19 ] CVE-2014-0119\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0119\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201412-29.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2014 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-0075"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "PACKETSTORM",
"id": "127325"
},
{
"db": "PACKETSTORM",
"id": "126837"
},
{
"db": "PACKETSTORM",
"id": "127367"
},
{
"db": "PACKETSTORM",
"id": "130617"
},
{
"db": "PACKETSTORM",
"id": "127366"
},
{
"db": "PACKETSTORM",
"id": "127338"
},
{
"db": "PACKETSTORM",
"id": "127335"
},
{
"db": "PACKETSTORM",
"id": "127413"
},
{
"db": "PACKETSTORM",
"id": "129553"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-0075",
"trust": 3.3
},
{
"db": "SECUNIA",
"id": "59678",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "60793",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "59616",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "59835",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "59849",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "59121",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "59732",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "59873",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "60729",
"trust": 1.6
},
{
"db": "BID",
"id": "67671",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002698",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "127325",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126837",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "127367",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130617",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "127366",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "127338",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "127335",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "127413",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "129553",
"trust": 0.1
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "PACKETSTORM",
"id": "127325"
},
{
"db": "PACKETSTORM",
"id": "126837"
},
{
"db": "PACKETSTORM",
"id": "127367"
},
{
"db": "PACKETSTORM",
"id": "130617"
},
{
"db": "PACKETSTORM",
"id": "127366"
},
{
"db": "PACKETSTORM",
"id": "127338"
},
{
"db": "PACKETSTORM",
"id": "127335"
},
{
"db": "PACKETSTORM",
"id": "127413"
},
{
"db": "PACKETSTORM",
"id": "129553"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
},
{
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"id": "VAR-201405-0543",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.15072303
},
"last_update_date": "2024-09-18T23:04:16.827000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache Tomcat 6.x vulnerabilities",
"trust": 0.8,
"url": "http://tomcat.apache.org/security-6.html"
},
{
"title": "Apache Tomcat 7.x vulnerabilities",
"trust": 0.8,
"url": "http://tomcat.apache.org/security-7.html"
},
{
"title": "Apache Tomcat 8.x vulnerabilities",
"trust": 0.8,
"url": "http://tomcat.apache.org/security-8.html"
},
{
"title": "Revision 1578341",
"trust": 0.8,
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1578341"
},
{
"title": "Revision 1578337",
"trust": 0.8,
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1578337"
},
{
"title": "Revision 1579262",
"trust": 0.8,
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1579262"
},
{
"title": "HS15-007",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-007/index.html"
},
{
"title": "HPSBUX03150 SSRT101681",
"trust": 0.8,
"url": "http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04483248\u0026lang=en\u0026cc=us"
},
{
"title": "1680603",
"trust": 0.8,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680603"
},
{
"title": "1681528",
"trust": 0.8,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681528"
},
{
"title": "1678231",
"trust": 0.8,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678231"
},
{
"title": "7010166",
"trust": 0.8,
"url": "http://www.novell.com/support/kb/doc.php?id=7010166 "
},
{
"title": "ELSA-2014-0865",
"trust": 0.8,
"url": "http://linux.oracle.com/errata/ELSA-2014-0865.html"
},
{
"title": "Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html"
},
{
"title": "Oracle Critical Patch Update Advisory - October 2016",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"title": "Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html"
},
{
"title": "Oracle Critical Patch Update Advisory - October 2014",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"title": "Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html"
},
{
"title": "Oracle Critical Patch Update Advisory - July 2014",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"title": "RHSA-2015:0765",
"trust": 0.8,
"url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"
},
{
"title": "RHSA-2015:0234",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/RHSA-2015-0234.html"
},
{
"title": "RHSA-2015:0235",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/RHSA-2015-0235.html"
},
{
"title": "RHSA-2015:0675",
"trust": 0.8,
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"title": "RHSA-2015:0720",
"trust": 0.8,
"url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"
},
{
"title": "October 2016 Critical Patch Update Released",
"trust": 0.8,
"url": "https://blogs.oracle.com/security/entry/october_2016_critical_patch_update"
},
{
"title": "CVE-2014-0075 Numeric Errors vulnerability in Apache Tomcat ",
"trust": 0.8,
"url": "https://blogs.oracle.com/sunsecurity/entry/cve_2014_0075_numeric_errors"
},
{
"title": "October 2014 Critical Patch Update Released",
"trust": 0.8,
"url": "https://blogs.oracle.com/security/entry/october_2014_critical_patch_update"
},
{
"title": "VMSA-2014-0012",
"trust": 0.8,
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"title": "HS15-007",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS15-007/index.html"
},
{
"title": "apache-tomcat-7.0.53",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50506"
},
{
"title": "apache-tomcat-8.0.5",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50510"
},
{
"title": "apache-tomcat-6.0.41",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50505"
},
{
"title": "apache-tomcat-8.0.5",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50509"
},
{
"title": "apache-tomcat-6.0.41",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50504"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-189",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://advisories.mageia.org/mgasa-2014-0268.html"
},
{
"trust": 1.8,
"url": "http://tomcat.apache.org/security-7.html"
},
{
"trust": 1.8,
"url": "http://tomcat.apache.org/security-6.html"
},
{
"trust": 1.7,
"url": "http://tomcat.apache.org/security-8.html"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=144498216801440\u0026w=2"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/67671"
},
{
"trust": 1.6,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-february/150282.html"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2016/dsa-3447"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"trust": 1.6,
"url": "http://rhn.redhat.com/errata/rhsa-2015-0675.html"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=141017844705317\u0026w=2"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/60729"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/59121"
},
{
"trust": 1.6,
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1578341"
},
{
"trust": 1.6,
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/59732"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/59678"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/59835"
},
{
"trust": 1.6,
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04851013"
},
{
"trust": 1.6,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2015:052"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/59616"
},
{
"trust": 1.6,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2015:053"
},
{
"trust": 1.6,
"url": "http://www.vmware.com/security/advisories/vmsa-2014-0012.html"
},
{
"trust": 1.6,
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"trust": 1.6,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"trust": 1.6,
"url": "http://linux.oracle.com/errata/elsa-2014-0865.html"
},
{
"trust": 1.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681528"
},
{
"trust": 1.6,
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1579262"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=141390017113542\u0026w=2"
},
{
"trust": 1.6,
"url": "http://www.novell.com/support/kb/doc.php?id=7010166"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/59873"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"trust": 1.6,
"url": "http://seclists.org/fulldisclosure/2014/dec/23"
},
{
"trust": 1.6,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2015:084"
},
{
"trust": 1.6,
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1578337"
},
{
"trust": 1.6,
"url": "http://rhn.redhat.com/errata/rhsa-2015-0720.html"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/59849"
},
{
"trust": 1.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680603"
},
{
"trust": 1.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678231"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/60793"
},
{
"trust": 1.6,
"url": "http://rhn.redhat.com/errata/rhsa-2015-0765.html"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0075"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0075"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0075"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0096"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0099"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/security/data/cve/cve-2014-0075.html"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/security/data/cve/cve-2014-0096.html"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/security/data/cve/cve-2014-0099.html"
},
{
"trust": 0.6,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/key/#package"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0119"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/site/articles/11258"
},
{
"trust": 0.2,
"url": "https://www.redhat.com/security/data/cve/cve-2014-0119.html"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4286"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4590"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4322"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/knowledge/articles/11258"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0827.html"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0843.html"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4322"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4286"
},
{
"trust": 0.1,
"url": "http://advisories.mageia.org/mgasa-2014-0148.html"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0227"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0119"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/advisories/"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4590"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0099"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0096"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0227"
},
{
"trust": 0.1,
"url": "http://advisories.mageia.org/mgasa-2015-0081.html"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0842.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform\u0026downloadtype=securitypatches\u0026version=6.2.0"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0835.html"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0834.html"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0865.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-5885"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0033"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/glsa/glsa-201412-29.xml"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3546"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3546"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-5887"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4431"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0050"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-5887"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-2067"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-5886"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-2733"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-4286"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0119"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0075"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-2071"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3544"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-2071"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0099"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-2067"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-4322"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-5886"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-4590"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-2733"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0096"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3544"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-4534"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-5885"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0033"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-4431"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0050"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4534"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "PACKETSTORM",
"id": "127325"
},
{
"db": "PACKETSTORM",
"id": "126837"
},
{
"db": "PACKETSTORM",
"id": "127367"
},
{
"db": "PACKETSTORM",
"id": "130617"
},
{
"db": "PACKETSTORM",
"id": "127366"
},
{
"db": "PACKETSTORM",
"id": "127338"
},
{
"db": "PACKETSTORM",
"id": "127335"
},
{
"db": "PACKETSTORM",
"id": "127413"
},
{
"db": "PACKETSTORM",
"id": "129553"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
},
{
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"db": "PACKETSTORM",
"id": "127325"
},
{
"db": "PACKETSTORM",
"id": "126837"
},
{
"db": "PACKETSTORM",
"id": "127367"
},
{
"db": "PACKETSTORM",
"id": "130617"
},
{
"db": "PACKETSTORM",
"id": "127366"
},
{
"db": "PACKETSTORM",
"id": "127338"
},
{
"db": "PACKETSTORM",
"id": "127335"
},
{
"db": "PACKETSTORM",
"id": "127413"
},
{
"db": "PACKETSTORM",
"id": "129553"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
},
{
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-06-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"date": "2014-07-02T21:43:13",
"db": "PACKETSTORM",
"id": "127325"
},
{
"date": "2014-05-29T23:42:59",
"db": "PACKETSTORM",
"id": "126837"
},
{
"date": "2014-07-07T20:28:43",
"db": "PACKETSTORM",
"id": "127367"
},
{
"date": "2015-03-03T16:54:21",
"db": "PACKETSTORM",
"id": "130617"
},
{
"date": "2014-07-07T20:28:32",
"db": "PACKETSTORM",
"id": "127366"
},
{
"date": "2014-07-03T23:00:52",
"db": "PACKETSTORM",
"id": "127338"
},
{
"date": "2014-07-03T23:00:31",
"db": "PACKETSTORM",
"id": "127335"
},
{
"date": "2014-07-09T18:51:14",
"db": "PACKETSTORM",
"id": "127413"
},
{
"date": "2014-12-15T20:00:49",
"db": "PACKETSTORM",
"id": "129553"
},
{
"date": "2014-05-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201405-585"
},
{
"date": "2014-05-31T11:17:13.093000",
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-11-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002698"
},
{
"date": "2019-04-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201405-585"
},
{
"date": "2023-11-07T02:18:07.613000",
"db": "NVD",
"id": "CVE-2014-0075"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "127325"
},
{
"db": "PACKETSTORM",
"id": "127367"
},
{
"db": "PACKETSTORM",
"id": "130617"
},
{
"db": "PACKETSTORM",
"id": "127366"
},
{
"db": "PACKETSTORM",
"id": "127338"
},
{
"db": "PACKETSTORM",
"id": "127335"
},
{
"db": "PACKETSTORM",
"id": "127413"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
}
],
"trust": 1.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache Tomcat of java/org/apache/coyote/http11/filters/ChunkedInputFilter.java Integer overflow vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002698"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "digital error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201405-585"
}
],
"trust": 0.6
}
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.