Patches Issued for Apache Tomcat

Wednesday, June 4, 2014 @ 06:06 AM gHale

Apache patched a series of low-level Tomcat bugs that could allow attackers to launch denial of service and bypass file access restrictions.

The vulnerabilities affected versions six, seven and eight of the open source web server. The holes first came to light in the February to April time period and ended up patched in May.

After False Start, Apache Struts Fixed
DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records
DDoS Attacks: Smarter, Faster, Severe

An information disclosure affecting version six (CVE-2014-0096) allowed a malicious web app to bypass file access constraints under certain conditions:

The default servlet allows web applications to define (at multiple levels) an XSLT to end up used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities.

One of the DoS bugs (CVE-2014-0075) allowed attackers to send unlimited amounts of data to send to the server via a malformed chunk.

Users should upgrade to the latest versions to protect against the disclosures and vulnerabilities.

Leave a Reply

You must be logged in to post a comment.