It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information.
Find out more about CVE-2014-0096 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Low security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Base Score | 2.1 |
---|---|
Base Metrics | AV:N/AC:H/Au:S/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | High |
Authentication | Single |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) | RHSA-2014:0843 | 2014-07-07 |
Red Hat Enterprise Linux 6 (tomcat6) | RHSA-2014:0865 | 2014-07-09 |
Red Hat Enterprise Linux 7 (tomcat) | RHSA-2014:0827 | 2014-07-02 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (tomcat7) | RHSA-2014:0835 | 2014-07-03 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (tomcat6) | RHSA-2014:0834 | 2014-07-03 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (tomcat7) | RHSA-2014:0835 | 2014-07-03 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (tomcat6) | RHSA-2014:0834 | 2014-07-03 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) | RHSA-2014:0843 | 2014-07-07 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Portal Platform 6 | jbossweb | Will not fix |
Red Hat JBoss Operations Network 3 | jbossweb | Not affected |
Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix |
Red Hat JBoss EWS 1 | tomcat6 | Will not fix |
Red Hat JBoss EWS 1 | tomcat5 | Will not fix |
Red Hat JBoss EAP 5 | jbossweb | Will not fix |
Red Hat JBoss Data Virtualization 6 | jbossweb | Will not fix |
Red Hat JBoss Data Grid 6 | jbossweb | Will not fix |
Red Hat JBoss BRMS 6 | jbossweb | Will not fix |
Red Hat JBoss BPMS 6 | jbossweb | Will not fix |
Red Hat Enterprise Linux 5 | tomcat5 | Will not fix |