Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2014:0835 - Security Advisory
Issued:
2014-07-03
Updated:
2014-07-03

RHSA-2014:0835 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated tomcat7 packages that fix three security issues are now available
for Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

It was discovered that Apache Tomcat did not limit the length of chunk
sizes when using chunked transfer encoding. A remote attacker could use
this flaw to perform a denial of service attack against Tomcat by streaming
an unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)

It was found that Apache Tomcat did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a Tomcat server located
behind a reverse proxy that processed the content length header correctly.
(CVE-2014-0099)

It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in Apache Tomcat allowed the definition of XML External
Entities (XXEs) in provided XSLTs. A malicious application could use this
to circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)

The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.

All users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these
updated tomcat7 packages, which contain backported patches to correct these
issues. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • JBoss Enterprise Web Server 2 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 6 i386
  • JBoss Enterprise Web Server 2 for RHEL 5 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 5 i386

Fixes

  • BZ - 1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
  • BZ - 1088342 - CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
  • BZ - 1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header

CVEs

  • CVE-2014-0075
  • CVE-2014-0096
  • CVE-2014-0099

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 2 for RHEL 6

SRPM
tomcat7-7.0.40-11_patch_03.ep6.el6.src.rpm SHA-256: 6ae3e4b8e04ecd61bda81532d917fde0465a791e1dbff5765c585b7292b8c87a
x86_64
tomcat7-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: ce8d01c404d7c363af66ae1c8a10f96f5267a88f335dde256e1ffed0a6414496
tomcat7-admin-webapps-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: d6f2ab059f43965239e53e2a7eae7043c9b0247f26e232ca261db55a23937fcb
tomcat7-docs-webapp-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 9c09b2b7ed755c91fc98cd2c558ba7fcd8dbf67bfce1710e2380e017143223d5
tomcat7-el-2.2-api-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: bbf9e52f3f5bcdca70d65817a47252a801a745cc4ab78ffdc97cc3a117020b2f
tomcat7-javadoc-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 7c10c5f648abc22b1133e40ff827dee49361b202947ee5748ba3c99f23483656
tomcat7-jsp-2.2-api-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 2d474e51fbb6d115d267bf78f83fc73d49d165e5ac8d2cf840f3a93f6a348ee6
tomcat7-lib-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 8d794f1982532dfc4095b8a385acef290060ebcfb736f7501ea209c0ad691e63
tomcat7-log4j-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 9c5090c3c90b20127458747b1bad0657e520db9c0d61ff0427b2529287eca87c
tomcat7-servlet-3.0-api-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: f8af2c1fe4737fdc5a5b14cd123d3add445ced44da5a5f1f4ca933e40eb4d7ff
tomcat7-webapps-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: aa1ab13824b05c58c58a4b12918fca2763280d8b444a6d8febc76a7d7ac1a11a
i386
tomcat7-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: ce8d01c404d7c363af66ae1c8a10f96f5267a88f335dde256e1ffed0a6414496
tomcat7-admin-webapps-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: d6f2ab059f43965239e53e2a7eae7043c9b0247f26e232ca261db55a23937fcb
tomcat7-docs-webapp-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 9c09b2b7ed755c91fc98cd2c558ba7fcd8dbf67bfce1710e2380e017143223d5
tomcat7-el-2.2-api-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: bbf9e52f3f5bcdca70d65817a47252a801a745cc4ab78ffdc97cc3a117020b2f
tomcat7-javadoc-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 7c10c5f648abc22b1133e40ff827dee49361b202947ee5748ba3c99f23483656
tomcat7-jsp-2.2-api-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 2d474e51fbb6d115d267bf78f83fc73d49d165e5ac8d2cf840f3a93f6a348ee6
tomcat7-lib-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 8d794f1982532dfc4095b8a385acef290060ebcfb736f7501ea209c0ad691e63
tomcat7-log4j-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: 9c5090c3c90b20127458747b1bad0657e520db9c0d61ff0427b2529287eca87c
tomcat7-servlet-3.0-api-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: f8af2c1fe4737fdc5a5b14cd123d3add445ced44da5a5f1f4ca933e40eb4d7ff
tomcat7-webapps-7.0.40-11_patch_03.ep6.el6.noarch.rpm SHA-256: aa1ab13824b05c58c58a4b12918fca2763280d8b444a6d8febc76a7d7ac1a11a

JBoss Enterprise Web Server 2 for RHEL 5

SRPM
tomcat7-7.0.40-14_patch_03.ep6.el5.src.rpm SHA-256: 050bf3ac57c2597cb2175f767d0a98493775fe2fde96d9d14056652ca8cfc7aa
x86_64
tomcat7-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 4df7bac9ab3b7f4227d9270c4570628ff918c96fe875c6226eb8f87dc8fb7e20
tomcat7-admin-webapps-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: cf6448b74ca64bf8696075a36e8fb663f75fbcc320d72235f519a7e0cdd4cbc7
tomcat7-docs-webapp-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 5d238eb0595b4d685fa05818feb445e638624034ce759c089cb8cab9fe3950f8
tomcat7-el-2.2-api-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: a218297bc687f6944f4e765d9b75c9eeefb34c2818df5753425703dc44358ed5
tomcat7-javadoc-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: ef5149c6c13558cf39e75cd374fd417817452ef73fed2fa29b3e4475aa1a5489
tomcat7-jsp-2.2-api-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 4b59d1cf6db7ba701beb4c18d4f8edb8d3d81b5bdf84b45f56d7a551db92e222
tomcat7-lib-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: c3367ab0fd607345d8883c59bb7590e9d637573e1f18e565889f71d9cd3e6822
tomcat7-log4j-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 83c02cec791cd9c673ab0dbcc35f1889f078054c3e2ffd078c26ef049fbc287e
tomcat7-servlet-3.0-api-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 32d67251a07d3e19d1cfb737b177b44a26157fbf65967e74d411f5b141669346
tomcat7-webapps-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 204f68beffcc2b913339d4d0c1c196576e1cc32eb9770b99ded4271c7fe1b07c
i386
tomcat7-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 4df7bac9ab3b7f4227d9270c4570628ff918c96fe875c6226eb8f87dc8fb7e20
tomcat7-admin-webapps-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: cf6448b74ca64bf8696075a36e8fb663f75fbcc320d72235f519a7e0cdd4cbc7
tomcat7-docs-webapp-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 5d238eb0595b4d685fa05818feb445e638624034ce759c089cb8cab9fe3950f8
tomcat7-el-2.2-api-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: a218297bc687f6944f4e765d9b75c9eeefb34c2818df5753425703dc44358ed5
tomcat7-javadoc-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: ef5149c6c13558cf39e75cd374fd417817452ef73fed2fa29b3e4475aa1a5489
tomcat7-jsp-2.2-api-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 4b59d1cf6db7ba701beb4c18d4f8edb8d3d81b5bdf84b45f56d7a551db92e222
tomcat7-lib-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: c3367ab0fd607345d8883c59bb7590e9d637573e1f18e565889f71d9cd3e6822
tomcat7-log4j-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 83c02cec791cd9c673ab0dbcc35f1889f078054c3e2ffd078c26ef049fbc287e
tomcat7-servlet-3.0-api-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 32d67251a07d3e19d1cfb737b177b44a26157fbf65967e74d411f5b141669346
tomcat7-webapps-7.0.40-14_patch_03.ep6.el5.noarch.rpm SHA-256: 204f68beffcc2b913339d4d0c1c196576e1cc32eb9770b99ded4271c7fe1b07c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility