PublicDateAtUSN: 2014-05-31 Candidate: CVE-2014-0119 PublicDate: 2014-05-31 11:17:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119 https://ubuntu.com/security/notices/USN-2654-1 Description: Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. Ubuntu-Description: It was discovered that the Tomcat XML parser incorrectly handled XML External Entities (XXE). A remote attacker could possibly use this issue to read arbitrary files. This issue only affected Ubuntu 14.04 LTS. Notes: mdeslaur> patch is intrusive Bugs: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1449975 Priority: low Discovered-by: Assigned-to: mdeslaur CVSS: Patches_tomcat6: upstream: http://svn.apache.org/viewvc?view=revision&revision=1589640 upstream: http://svn.apache.org/viewvc?view=revision&revision=1593815 upstream: http://svn.apache.org/viewvc?view=revision&revision=1593821 upstream_tomcat6: released (6.0.41-1) lucid_tomcat6: ignored (reached end-of-life) precise_tomcat6: ignored (reached end-of-life) precise/esm_tomcat6: ignored (end of ESM support, was needed) saucy_tomcat6: ignored (reached end-of-life) trusty_tomcat6: released (6.0.39-1ubuntu0.1) trusty/esm_tomcat6: released (6.0.39-1ubuntu0.1) utopic_tomcat6: not-affected (6.0.41-1) vivid_tomcat6: not-affected (6.0.41-1) vivid/stable-phone-overlay_tomcat6: DNE vivid/ubuntu-core_tomcat6: DNE wily_tomcat6: not-affected (6.0.41-1) xenial_tomcat6: not-affected (6.0.41-1) yakkety_tomcat6: DNE zesty_tomcat6: DNE artful_tomcat6: DNE bionic_tomcat6: DNE cosmic_tomcat6: DNE disco_tomcat6: DNE eoan_tomcat6: DNE focal_tomcat6: DNE groovy_tomcat6: DNE hirsute_tomcat6: DNE devel_tomcat6: DNE Patches_tomcat7: upstream: http://svn.apache.org/viewvc?view=revision&revision=1589763 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1589851 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1588199 upstream: http://svn.apache.org/viewvc?view=revision&revision=1589997 upstream: http://svn.apache.org/viewvc?view=revision&revision=1590028 upstream: http://svn.apache.org/viewvc?view=revision&revision=1590036 vendor: https://git.centos.org/blob/rpms!tomcat.git/f90819793e4da6c0cc3e7c19d29b48710e29d05b/SOURCES!tomcat-7.0.42-CVE-2014-0119.patch upstream_tomcat7: released (7.0.53-1) lucid_tomcat7: DNE precise_tomcat7: ignored (reached end-of-life) precise/esm_tomcat7: DNE (precise was needed) saucy_tomcat7: ignored (reached end-of-life) trusty_tomcat7: released (7.0.52-1ubuntu0.3) trusty/esm_tomcat7: released (7.0.52-1ubuntu0.3) utopic_tomcat7: not-affected (7.0.53-1) vivid_tomcat7: not-affected (7.0.53-1) vivid/stable-phone-overlay_tomcat7: DNE vivid/ubuntu-core_tomcat7: DNE wily_tomcat7: not-affected (7.0.53-1) xenial_tomcat7: not-affected (7.0.53-1) yakkety_tomcat7: not-affected (7.0.53-1) zesty_tomcat7: not-affected (7.0.53-1) artful_tomcat7: not-affected (7.0.53-1) bionic_tomcat7: not-affected (7.0.53-1) cosmic_tomcat7: not-affected (7.0.53-1) disco_tomcat7: DNE eoan_tomcat7: DNE focal_tomcat7: DNE groovy_tomcat7: DNE hirsute_tomcat7: DNE devel_tomcat7: DNE Patches_tomcat8: upstream_tomcat8: released (8.0.5-1) lucid_tomcat8: DNE precise_tomcat8: DNE precise/esm_tomcat8: DNE saucy_tomcat8: DNE trusty_tomcat8: DNE trusty/esm_tomcat8: DNE utopic_tomcat8: not-affected (8.0.9-1) vivid_tomcat8: not-affected (8.0.9-1) vivid/stable-phone-overlay_tomcat8: DNE vivid/ubuntu-core_tomcat8: DNE wily_tomcat8: not-affected (8.0.9-1) xenial_tomcat8: not-affected (8.0.9-1) esm-infra/xenial_tomcat8: not-affected (8.0.9-1) yakkety_tomcat8: not-affected (8.0.9-1) zesty_tomcat8: not-affected (8.0.9-1) artful_tomcat8: not-affected (8.0.9-1) bionic_tomcat8: not-affected (8.0.9-1) cosmic_tomcat8: not-affected (8.0.9-1) disco_tomcat8: DNE eoan_tomcat8: DNE focal_tomcat8: DNE groovy_tomcat8: DNE hirsute_tomcat8: DNE devel_tomcat8: DNE