Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2014:0525 - Security Advisory
Issued:
2014-05-21
Updated:
2014-05-21

RHSA-2014:0525 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated tomcat6 packages that fix multiple security issues are now
available for Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5
and 6.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

It was found that when Tomcat processed a series of HTTP requests in which
at least one request contained either multiple content-length headers, or
one content-length header with a chunked transfer-encoding header, Tomcat
would incorrectly handle the request. A remote attacker could use this flaw
to poison a web cache, perform cross-site scripting (XSS) attacks, or
obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a
denial of service flaw in the way Tomcat processed chunk extensions and
trailing headers in chunked requests. A remote attacker could use this flaw
to send an excessively long request that, when processed by Tomcat, could
consume network bandwidth, CPU, and memory on the Tomcat server. Note that
chunked transfer encoding is enabled by default. (CVE-2013-4322)

It was found that previous fixes in Tomcat 6 to path parameter handling
introduced a regression that caused Tomcat to not properly disable URL
rewriting to track session IDs when the disableURLRewriting option was
enabled. A man-in-the-middle attacker could potentially use this flaw to
hijack a user's session. (CVE-2014-0033)

A denial of service flaw was found in the way Apache Commons FileUpload,
which is embedded in Tomcat, handled small-sized buffers used by
MultipartStream. A remote attacker could use this flaw to create a
malformed Content-Type header for a multipart request, causing Tomcat to
enter an infinite loop when processing such an incoming request.
(CVE-2014-0050)

All users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these
updated tomcat6 packages, which contain backported patches to correct these
issues. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • JBoss Enterprise Web Server 2 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 6 i386
  • JBoss Enterprise Web Server 2 for RHEL 5 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 5 i386

Fixes

  • BZ - 1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
  • BZ - 1069905 - CVE-2013-4322 tomcat: incomplete fix for CVE-2012-3544
  • BZ - 1069919 - CVE-2014-0033 tomcat: session fixation still possible with disableURLRewriting enabled
  • BZ - 1069921 - CVE-2013-4286 tomcat: multiple content-length header poisoning flaws

CVEs

  • CVE-2013-4286
  • CVE-2013-4322
  • CVE-2014-0033
  • CVE-2014-0050

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 2 for RHEL 6

SRPM
tomcat6-6.0.37-27_patch_04.ep6.el6.src.rpm SHA-256: ac1242b3453334d8ba1c1ec9cc5feb80981ad45c02809bed37b0159a2cd26731
x86_64
tomcat6-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 7877ee6e5142a16c46888738b68d38ea1d5d54b96a0981e1b4943f8321427ddf
tomcat6-admin-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 030fb4a0f79ea2a2dfd28324177dbfceddb27e82534ccbe48ef2155ff90eab00
tomcat6-docs-webapp-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: d5d70240d0558e2a77c565635d29b534e24a5b29e6db6da588fad94709840c36
tomcat6-el-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 354a44d532377d308145e78e5c6697ee5079b53ee70603eda0ff23218fb27215
tomcat6-javadoc-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: db60c2602ee6efcbfbb72a49c552120257ff9cda00a12a0b8faaf8f20dd14a43
tomcat6-jsp-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: c25410e748bf7f9a4af7549767667d7d883776c40f6088454feb9095316f3266
tomcat6-lib-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 8311a8d20fd0372aa8521b1b74125eae28491256f5081ac64ead21419d1b786b
tomcat6-log4j-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 63d91f8818539acf1a20c58b242b9ea218d0f0e2942b13913e6a8a0e94e08008
tomcat6-servlet-2.5-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: d6ccf62626c1cbf26dbc1aa198e65a477d3cf66ecb55ac1a83fd39e1e12a01dc
tomcat6-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: bdacbe26e5659724c491b54de6fc2a65f0bcd567b8b9a39ed828db600d4584d7
i386
tomcat6-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 7877ee6e5142a16c46888738b68d38ea1d5d54b96a0981e1b4943f8321427ddf
tomcat6-admin-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 030fb4a0f79ea2a2dfd28324177dbfceddb27e82534ccbe48ef2155ff90eab00
tomcat6-docs-webapp-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: d5d70240d0558e2a77c565635d29b534e24a5b29e6db6da588fad94709840c36
tomcat6-el-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 354a44d532377d308145e78e5c6697ee5079b53ee70603eda0ff23218fb27215
tomcat6-javadoc-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: db60c2602ee6efcbfbb72a49c552120257ff9cda00a12a0b8faaf8f20dd14a43
tomcat6-jsp-2.1-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: c25410e748bf7f9a4af7549767667d7d883776c40f6088454feb9095316f3266
tomcat6-lib-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 8311a8d20fd0372aa8521b1b74125eae28491256f5081ac64ead21419d1b786b
tomcat6-log4j-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: 63d91f8818539acf1a20c58b242b9ea218d0f0e2942b13913e6a8a0e94e08008
tomcat6-servlet-2.5-api-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: d6ccf62626c1cbf26dbc1aa198e65a477d3cf66ecb55ac1a83fd39e1e12a01dc
tomcat6-webapps-6.0.37-27_patch_04.ep6.el6.noarch.rpm SHA-256: bdacbe26e5659724c491b54de6fc2a65f0bcd567b8b9a39ed828db600d4584d7

JBoss Enterprise Web Server 2 for RHEL 5

SRPM
tomcat6-6.0.37-19_patch_04.ep6.el5.src.rpm SHA-256: c438e14fed258ad934391552cdd95a0143d72ab74163d46a4e612e57d7634ff5
x86_64
tomcat6-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: dc50e695b896f141e609ddae9186e3e3c6b8d9e97a6c142d4c4e0ef09dd10922
tomcat6-admin-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 1488f6146b43181ba2409892f6b22a0ae210922d5b6d3145affe5749d3842658
tomcat6-docs-webapp-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 7459816f987471c274c0b9ddf33e8c7e2a8fb36613fa5ff4c6fe66a0a6b589ea
tomcat6-el-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: def2e32dec30d3bfd34193adb089e662485b1c3d9053f9db8aec0e38a82d2e09
tomcat6-javadoc-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: f3cec691dce29466003ff0ebc6db74a94828edef19c1f42c92fffd2aae6bf00d
tomcat6-jsp-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 10a31e5f0ef7264a5fa9e1a2a481e5a3b3a830dc32ef90e10288e3016412622d
tomcat6-lib-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: ddbe3a3f2a60ab32525f6915fbf30b4cce3b12d19c200831266a621d2e4020df
tomcat6-log4j-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: d6b0d7e79a71b940f41816f079d5a640eaadfebb3ff96439ec029fe32a72b6f6
tomcat6-servlet-2.5-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: fffcf09725805f3767b0656c73cf30cf99f53d2cb8dbb55ef35b9f6e6ac771ea
tomcat6-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 1dbbc4185024cc84845669c0fccdde0b0e95f1df16588b66195fd2e45e92f8fd
i386
tomcat6-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: dc50e695b896f141e609ddae9186e3e3c6b8d9e97a6c142d4c4e0ef09dd10922
tomcat6-admin-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 1488f6146b43181ba2409892f6b22a0ae210922d5b6d3145affe5749d3842658
tomcat6-docs-webapp-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 7459816f987471c274c0b9ddf33e8c7e2a8fb36613fa5ff4c6fe66a0a6b589ea
tomcat6-el-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: def2e32dec30d3bfd34193adb089e662485b1c3d9053f9db8aec0e38a82d2e09
tomcat6-javadoc-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: f3cec691dce29466003ff0ebc6db74a94828edef19c1f42c92fffd2aae6bf00d
tomcat6-jsp-2.1-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 10a31e5f0ef7264a5fa9e1a2a481e5a3b3a830dc32ef90e10288e3016412622d
tomcat6-lib-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: ddbe3a3f2a60ab32525f6915fbf30b4cce3b12d19c200831266a621d2e4020df
tomcat6-log4j-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: d6b0d7e79a71b940f41816f079d5a640eaadfebb3ff96439ec029fe32a72b6f6
tomcat6-servlet-2.5-api-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: fffcf09725805f3767b0656c73cf30cf99f53d2cb8dbb55ef35b9f6e6ac771ea
tomcat6-webapps-6.0.37-19_patch_04.ep6.el5.noarch.rpm SHA-256: 1dbbc4185024cc84845669c0fccdde0b0e95f1df16588b66195fd2e45e92f8fd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter