#VU64553 Permissions, Privileges, and Access Controls in Apache Tomcat
Vulnerability identifier: #VU64553
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Tomcat
Server applications /
Web servers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to Apache Tomcat does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet. A remote attacker can read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or read files associated with different web applications on a single Tomcat instance via a crafted web application.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Tomcat: 6.0.0 - 6.0.39, 7.0.0 - 7.0.53, 8.0.0 RC10 - 8.0.5
External links
http://advisories.mageia.org/MGASA-2014-0268.html
http://marc.info/?l=bugtraq&m=141017844705317&w=2
http://marc.info/?l=bugtraq&m=144498216801440&w=2
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://rhn.redhat.com/errata/RHSA-2015-0765.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://seclists.org/fulldisclosure/2014/May/141
http://secunia.com/advisories/59732
http://secunia.com/advisories/59873
http://secunia.com/advisories/60729
http://svn.apache.org/viewvc?view=revision&revision=1588193
http://svn.apache.org/viewvc?view=revision&revision=1588199
http://svn.apache.org/viewvc?view=revision&revision=1589640
http://svn.apache.org/viewvc?view=revision&revision=1589837
http://svn.apache.org/viewvc?view=revision&revision=1589980
http://svn.apache.org/viewvc?view=revision&revision=1589983
http://svn.apache.org/viewvc?view=revision&revision=1589985
http://svn.apache.org/viewvc?view=revision&revision=1589990
http://svn.apache.org/viewvc?view=revision&revision=1589992
http://svn.apache.org/viewvc?view=revision&revision=1589997
http://svn.apache.org/viewvc?view=revision&revision=1590028
http://svn.apache.org/viewvc?view=revision&revision=1590036
http://svn.apache.org/viewvc?view=revision&revision=1593815
http://svn.apache.org/viewvc?view=revision&revision=1593821
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://www.debian.org/security/2016/dsa-3530
http://www.debian.org/security/2016/dsa-3552
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/67669
http://www.securitytracker.com/id/1030298
http://www.ubuntu.com/usn/USN-2654-1
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://www-01.ibm.com/support/docview.wss?uid=swg21678231
http://www-01.ibm.com/support/docview.wss?uid=swg21681528
http://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
http://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
http://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
