| Description: | Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.It was found that several application-provided XML files, such as web.xml,content.xml, *.tld, *.tagx, and *.jspx, resolved external entities,permitting XML External Entity (XXE) attacks. An attacker able to deploymalicious applications to Tomcat could use this flaw to circumvent securityrestrictions set by the JSM, and gain access to sensitive information onthe system. Note that this flaw only affected deployments in which Tomcatis running applications from untrusted sources, such as in a shared hostingenvironment. (CVE-2013-4590)It was found that, in certain circumstances, it was possible for amalicious web application to replace the XML parsers used by Apache Tomcatto process XSLTs for the default servlet, JSP documents, tag librarydescriptors (TLDs), and tag plug-in configuration files. The injected XMLparser(s) could then bypass the limits imposed on XML external entitiesand/or gain access to the XML files processed for other web applicationsdeployed on the same Apache Tomcat instance. (CVE-2014-0119)All Tomcat users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. Tomcat must berestarted for this update to take effect. |