#VU64550 Permissions, Privileges, and Access Controls in Apache Tomcat
Vulnerability identifier: #VU64550
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Tomcat
Server applications /
Web servers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat does not properly restrict XSLT stylesheets. A remote attacker can bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Tomcat: 6.0.0 - 6.0.39, 7.0.0 - 7.0.52, 8.0.0 - 8.0.1
External links
http://advisories.mageia.org/MGASA-2014-0268.html
http://linux.oracle.com/errata/ELSA-2014-0865.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
http://marc.info/?l=bugtraq&m=141017844705317&w=2
http://marc.info/?l=bugtraq&m=144498216801440&w=2
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://rhn.redhat.com/errata/RHSA-2015-0765.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://seclists.org/fulldisclosure/2014/May/135
http://secunia.com/advisories/59121
http://secunia.com/advisories/59616
http://secunia.com/advisories/59678
http://secunia.com/advisories/59732
http://secunia.com/advisories/59835
http://secunia.com/advisories/59849
http://secunia.com/advisories/59873
http://secunia.com/advisories/60729
http://svn.apache.org/viewvc?view=revision&revision=1578610
http://svn.apache.org/viewvc?view=revision&revision=1578611
http://svn.apache.org/viewvc?view=revision&revision=1578637
http://svn.apache.org/viewvc?view=revision&revision=1578655
http://svn.apache.org/viewvc?view=revision&revision=1585853
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://www.debian.org/security/2016/dsa-3530
http://www.debian.org/security/2016/dsa-3552
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://www.novell.com/support/kb/doc.php?id=7010166
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/67667
http://www.securitytracker.com/id/1030301
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://www-01.ibm.com/support/docview.wss?uid=swg21678231
http://www-01.ibm.com/support/docview.wss?uid=swg21681528
http://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
http://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
