It was found that JBoss Web / Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web / Apache Tomcat server located behind a reverse proxy that processed the content length header correctly.
Find out more about CVE-2014-0099 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Moderate security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Base Score | 5.8 |
---|---|
Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | Partial |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) | RHSA-2014:0843 | 2014-07-07 |
Red Hat Enterprise Linux 6 (tomcat6) | RHSA-2014:0865 | 2014-07-09 |
Red Hat Enterprise Linux 7 (tomcat) | RHSA-2014:0827 | 2014-07-02 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (tomcat7) | RHSA-2014:0835 | 2014-07-03 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (tomcat6) | RHSA-2014:0834 | 2014-07-03 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (tomcat7) | RHSA-2014:0835 | 2014-07-03 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (tomcat6) | RHSA-2014:0834 | 2014-07-03 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) | RHSA-2014:0843 | 2014-07-07 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Portal Platform 6 | jbossweb | Will not fix |
Red Hat JBoss Operations Network 3 | jbossweb | Will not fix |
Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix |
Red Hat JBoss EWS 1 | tomcat6 | Will not fix |
Red Hat JBoss EWS 1 | tomcat5 | Will not fix |
Red Hat JBoss EAP 5 | jbossweb | Will not fix |
Red Hat JBoss Data Virtualization 6 | jbossweb | Will not fix |
Red Hat JBoss Data Grid 6 | jbossweb | Will not fix |
Red Hat JBoss BRMS 6 | jbossweb | Will not fix |
Red Hat JBoss BPMS 6 | jbossweb | Will not fix |
Red Hat Enterprise Linux 5 | tomcat5 | Will not fix |