Search...

openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)

2014-06-13T00:00:00

ID OPENSUSE-2014-297.NASL
Type nessus
Reporter Tenable
Modified 2015-11-06T00:00:00

Description

This jakarta-commons-fileupload update fixes the follwoing security and non security issues :

bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).

Removed gcj part and deprecated macros.

Moved from jpackage-utils to javapackage-tools.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2014-297.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(75324);
  script_version("$Revision: 1.3 $");
  script_cvs_date("$Date: 2015/11/06 14:51:23 $");

  script_cve_id("CVE-2014-0050");
  script_bugtraq_id(65400);

  script_name(english:"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)");
  script_summary(english:"Check for the openSUSE-2014-297 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This jakarta-commons-fileupload update fixes the follwoing security
and non security issues :

  - bnc#862781: Fixed buffer overflow and resulting DoS
    (CVE-2014-0050).

  - Removed gcj part and deprecated macros.

  - Moved from jpackage-utils to javapackage-tools."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=862781"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected jakarta-commons-fileupload packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE12.3", reference:"jakarta-commons-fileupload-1.1.1-114.8.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1") ) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc");
}

JSON Vulners Source

Initial Source

{"published": "2014-06-13T00:00:00", "id": "OPENSUSE-2014-297.NASL", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [{"differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:01", "bulletin": {"enchantments": {}, "published": "2014-06-13T00:00:00", "id": "OPENSUSE-2014-297.NASL", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "cpe": [], "hash": "2a6c3f956f857bc1c2c792f0e8f73e381e0e476cf93188f871658f52dca7b9cf", "description": "This jakarta-commons-fileupload update fixes the follwoing security and non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.", "type": "nessus", "pluginID": "75324", "lastseen": "2016-09-26T17:23:01", "edition": 1, "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75324", "modified": "2015-11-06T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2014-0050"], "references": ["https://bugzilla.novell.com/show_bug.cgi?id=862781", "http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"], "naslFamily": "SuSE Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-297.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75324);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n\n script_name(english:\"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)\");\n script_summary(english:\"Check for the openSUSE-2014-297 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This jakarta-commons-fileupload update fixes the follwoing security\nand non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS\n (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jakarta-commons-fileupload packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-1.1.1-114.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc\");\n}\n", "hashmap": [{"hash": "411b0fa39bff23a941ddefc879e1846b", "key": "pluginID"}, {"hash": "27983007c4745c615e545aa1502257bb", "key": "title"}, {"hash": "77dbfcbe2b53e0253f64899bb47222b6", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8d995ded238241a139db6901b8f16498", "key": "sourceData"}, {"hash": "4f7c0531be36b3474059231480deefc2", "key": "references"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "0e00f0441018f43ad22bef615ff4cfd5", "key": "href"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "8ecec58654ba061c199813977f60e3e1", "key": "modified"}, {"hash": "77a0b738c0c41ebcffc70090b07ebffa", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "objectVersion": "1.2"}}], "description": "This jakarta-commons-fileupload update fixes the follwoing security and non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.", "hash": "972cb68def654cd558975c9b0b154474add739cf3a24cdcb063dca9fa6cd4438", "enchantments": {"vulnersScore": 7.5}, "type": "nessus", "pluginID": "75324", "lastseen": "2017-10-29T13:32:49", "edition": 2, "cpe": ["cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload", "p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc"], "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75324", "modified": "2015-11-06T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2014-0050"], "references": ["https://bugzilla.novell.com/show_bug.cgi?id=862781", "http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html"], "naslFamily": "SuSE Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-297.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75324);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/11/06 14:51:23 $\");\n\n script_cve_id(\"CVE-2014-0050\");\n script_bugtraq_id(65400);\n\n script_name(english:\"openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)\");\n script_summary(english:\"Check for the openSUSE-2014-297 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This jakarta-commons-fileupload update fixes the follwoing security\nand non security issues :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS\n (CVE-2014-0050).\n\n - Removed gcj part and deprecated macros.\n\n - Moved from jpackage-utils to javapackage-tools.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-04/msg00041.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=862781\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jakarta-commons-fileupload packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:jakarta-commons-fileupload-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-1.1.1-114.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"jakarta-commons-fileupload-javadoc-1.1.1-114.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jakarta-commons-fileupload / jakarta-commons-fileupload-javadoc\");\n}\n", "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "4ff0bdc59ab80841f6d5ce8ed24c1eb3", "key": "cpe"}, {"hash": "77a0b738c0c41ebcffc70090b07ebffa", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "77dbfcbe2b53e0253f64899bb47222b6", "key": "description"}, {"hash": "0e00f0441018f43ad22bef615ff4cfd5", "key": "href"}, {"hash": "8ecec58654ba061c199813977f60e3e1", "key": "modified"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "411b0fa39bff23a941ddefc879e1846b", "key": "pluginID"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "4f7c0531be36b3474059231480deefc2", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8d995ded238241a139db6901b8f16498", "key": "sourceData"}, {"hash": "27983007c4745c615e545aa1502257bb", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "objectVersion": "1.3"}

{"result": {"cve": [{"id": "CVE-2014-0050", "type": "cve", "title": "CVE-2014-0050", "description": "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.", "published": "2014-04-01T02:27:51", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-12-16T11:24:36"}], "f5": [{"id": "F5:K15189", "type": "f5", "title": "Apache Commons FileUpload vulnerability CVE-2014-0050", "description": "\nF5 Product Development has assigned ID 452318 (BIG-IP) and ID 452803 (Enterprise Manager) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H455619 on the **Diagnostics **> **Identified **> **High **screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP AAM| 11.4.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10| Configuration utility \nBIG-IP AFM| 11.3.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10| Configuration utility \nBIG-IP Analytics| 11.0.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP APM| 11.0.0 - 11.5.4 \n10.1.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP ASM| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| 11.2.1 HF16| Configuration utility \nBIG-IP GTM| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP Link Controller| 11.0.0 - 11.5.4 \n10.0.0 - 10.2.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP PEM| 11.3.0 - 11.5.4| 12.1.0 \n12.0.0 \n11.6.1 \n11.6.0 \n11.5.4 HF2 \n11.4.1 HF10| Configuration utility \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| 11.4.1 HF10 \n11.2.1 HF16| Configuration utility \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| 11.2.1 HF16| Configuration utility \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| 11.2.1 HF16| Configuration utility \nARX| None| 6.0.0 - 6.4.0| None \nEnterprise Manager| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| None| Configuration utility \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| None\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit access to the Configuration utility only over a secure network.\n\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2014-04-19T00:53:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K15189", "cvelist": ["CVE-2014-0050"], "lastseen": "2018-02-06T03:06:47"}, {"id": "SOL15189", "type": "f5", "title": "SOL15189 - Apache Commons FileUpload vulnerability CVE-2014-0050", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit access to the Configuration utility only over a secure network.\n\nSupplemental Information\n\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2014-04-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15189.html", "cvelist": ["CVE-2014-0050"], "lastseen": "2016-09-26T17:22:52"}], "atlassian": [{"id": "ATLASSIAN:CONF-32557", "type": "atlassian", "title": "Security vulnerability in apache commons fileupload", "description": "Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library.", "published": "2014-02-10T05:56:15", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://jira.atlassian.com/browse/CONF-32557", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-03-22T18:16:53"}, {"id": "ATLASSIAN:CONFSERVER-32557", "type": "atlassian", "title": "Security vulnerability in apache commons fileupload", "description": "Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library.", "published": "2014-02-10T05:56:15", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://jira.atlassian.com/browse/CONFSERVER-32557", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-16T08:56:53"}], "redhat": [{"id": "RHSA-2014:0253", "type": "redhat", "title": "(RHSA-2014:0253) Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 security update", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA denial of service flaw was found in the way Apache Commons FileUpload,\nwhich is embedded in the JBoss Web component of JBoss EAP, handled\nsmall-sized buffers used by MultipartStream. A remote attacker could use\nthis flaw to create a malformed Content-Type header for a multipart\nrequest, causing JBoss Web to enter an infinite loop when processing such\nan incoming request. (CVE-2014-0050)\n\nWarning: Before applying this update, back up your existing Red Hat JBoss\nEnterprise Application Platform installation and deployed applications.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.2.1 on Red Hat\nEnterprise Linux 5 and 6 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.\n", "published": "2014-03-05T05:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0253", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-03-03T11:18:29"}, {"id": "RHSA-2014:0525", "type": "redhat", "title": "(RHSA-2014:0525) Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nIt was found that previous fixes in Tomcat 6 to path parameter handling\nintroduced a regression that caused Tomcat to not properly disable URL\nrewriting to track session IDs when the disableURLRewriting option was\nenabled. A man-in-the-middle attacker could potentially use this flaw to\nhijack a user's session. (CVE-2014-0033)\n\nA denial of service flaw was found in the way Apache Commons FileUpload,\nwhich is embedded in Tomcat, handled small-sized buffers used by\nMultipartStream. A remote attacker could use this flaw to create a\nmalformed Content-Type header for a multipart request, causing Tomcat to\nenter an infinite loop when processing such an incoming request.\n(CVE-2014-0050)\n\nAll users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these\nupdated tomcat6 packages, which contain backported patches to correct these\nissues. The Red Hat JBoss Web Server process must be restarted for the\nupdate to take effect.", "published": "2014-05-21T19:09:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0525", "cvelist": ["CVE-2012-3544", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286", "CVE-2014-0033"], "lastseen": "2017-03-31T19:19:54"}, {"id": "RHSA-2014:0526", "type": "redhat", "title": "(RHSA-2014:0526) Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nA denial of service flaw was found in the way Apache Commons FileUpload,\nwhich is embedded in Tomcat, handled small-sized buffers used by\nMultipartStream. A remote attacker could use this flaw to create a\nmalformed Content-Type header for a multipart request, causing Tomcat to\nenter an infinite loop when processing such an incoming request.\n(CVE-2014-0050)\n\nAll users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these\nupdated tomcat7 packages, which contain backported patches to correct these\nissues. The Red Hat JBoss Web Server process must be restarted for the\nupdate to take effect.", "published": "2014-05-21T19:09:06", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0526", "cvelist": ["CVE-2012-3544", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "lastseen": "2017-03-31T19:19:39"}, {"id": "RHSA-2014:0429", "type": "redhat", "title": "(RHSA-2014:0429) Moderate: tomcat6 security update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing JBoss Web to enter an infinite loop when\nprocessing such an incoming request. (CVE-2014-0050)\n\nAll Tomcat users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n", "published": "2014-04-23T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0429", "cvelist": ["CVE-2012-3544", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "lastseen": "2017-03-07T03:19:12"}, {"id": "RHSA-2014:0865", "type": "redhat", "title": "(RHSA-2014:0865) Moderate: tomcat6 security and bug fix update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was discovered that Apache Tomcat did not limit the length of chunk\nsizes when using chunked transfer encoding. A remote attacker could use\nthis flaw to perform a denial of service attack against Tomcat by streaming\nan unlimited quantity of data, leading to excessive consumption of server\nresources. (CVE-2014-0075)\n\nIt was found that Apache Tomcat did not check for overflowing values when\nparsing request content length headers. A remote attacker could use this\nflaw to perform an HTTP request smuggling attack on a Tomcat server located\nbehind a reverse proxy that processed the content length header correctly.\n(CVE-2014-0099)\n\nIt was found that the org.apache.catalina.servlets.DefaultServlet\nimplementation in Apache Tomcat allowed the definition of XML External\nEntities (XXEs) in provided XSLTs. A malicious application could use this\nto circumvent intended security restrictions to disclose sensitive\ninformation. (CVE-2014-0096)\n\nThe CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product\nSecurity.\n\nThis update also fixes the following bugs:\n\n* The patch that resolved the CVE-2014-0050 issue contained redundant code.\nThis update removes the redundant code. (BZ#1094528)\n\n* The patch that resolved the CVE-2013-4322 issue contained an invalid\ncheck that triggered a java.io.EOFException while reading trailer headers\nfor chunked requests. This update fixes the check and the aforementioned\nexception is no longer triggered in the described scenario. (BZ#1095602)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n", "published": "2014-07-09T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0865", "cvelist": ["CVE-2014-0099", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-0096", "CVE-2014-0075"], "lastseen": "2017-03-06T21:18:50"}], "nessus": [{"id": "OPENSUSE-2014-298.NASL", "type": "nessus", "title": "openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0527-1)", "description": "This jakarta-commons-fileupload update fixes the follwoing security issue :\n\n - bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).", "published": "2014-06-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=75325", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:39:15"}, {"id": "VMWARE_ORCHESTRATOR_VMSA_2014_0007.NASL", "type": "nessus", "title": "VMware vCenter Orchestrator 5.5.x < 5.5.2 DoS (VMSA-2014-0007)", "description": "The version of VMware vCenter Orchestrator installed on the remote host is 5.5.x prior to 5.5.2. It is, therefore, affected by a denial of service vulnerability due to an error that exists in the included Apache Tomcat version related to handling 'Content-Type' HTTP headers and multipart requests.", "published": "2014-10-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=78671", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:32:56"}, {"id": "REDHAT-RHSA-2014-0253.NASL", "type": "nessus", "title": "RHEL 5 / 6 : JBoss EAP (RHSA-2014:0253)", "description": "Updated Red Hat JBoss Enterprise Application Platform 6.2.1 packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nA denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in the JBoss Web component of JBoss EAP, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)\n\nWarning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.2.1 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "published": "2014-03-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=72853", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:34:53"}, {"id": "DEBIAN_DSA-2856.NASL", "type": "nessus", "title": "Debian DSA-2856-1 : libcommons-fileupload-java - denial of service", "description": "It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition.", "published": "2014-02-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=72401", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:36:53"}, {"id": "TOMCAT_8_0_3.NASL", "type": "nessus", "title": "Apache Tomcat 8.0.x < 8.0.3 Content-Type DoS", "description": "According to its self-reported version number, the instance of Apache Tomcat 8.0.x listening on the remote host is a version prior to 8.0.3.\nIt is, therefore, affected by a denial of service vulnerability due to an error related to handling 'Content-Type' HTTP headers and multipart requests such as file uploads.\n\nNote that this error exists because of the bundled version of Apache Commons FileUpload.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2014-02-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=72693", "cvelist": ["CVE-2014-0050"], "lastseen": "2018-01-24T11:00:21"}, {"id": "FEDORA_2014-2175.NASL", "type": "nessus", "title": "Fedora 20 : apache-commons-fileupload-1.3-5.fc20 (2014-2175)", "description": "This update fixes a denial of service vulnerability which could be triggered by specially crafted input if the buffer used by the MultipartSteeam was not big enough.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-02-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=72544", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:33:07"}, {"id": "F5_BIGIP_SOL15189.NASL", "type": "nessus", "title": "F5 Networks BIG-IP : Apache Commons FileUpload vulnerability (K15189)", "description": "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. (CVE-2014-0050)", "published": "2014-10-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=78165", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:46:06"}, {"id": "WEBSPHERE_PORTAL_CVE-2014-0050.NASL", "type": "nessus", "title": "IBM WebSphere Portal Apache Commons FileUpload DoS", "description": "The version of IBM WebSphere Portal on the remote host is affected by a denial of service vulnerability in the Apache Commons FileUpload library that allows an attacker to cause the application to enter an infinite loop.", "published": "2014-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74293", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:45:24"}, {"id": "SUSE_11_JAKARTA-COMMONS-FILEUPLOAD-140403.NASL", "type": "nessus", "title": "SuSE 11.3 Security Update : jakarta-commons-fileupload (SAT Patch Number 9087)", "description": "This update fixes a security issue with jakarta-commons-fileupload :\n\n - denial of service due to too-small buffer size used (CVE-2014-0050). (bnc#862781)", "published": "2014-04-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=73609", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:43:57"}, {"id": "MANDRIVA_MDVSA-2014-056.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : apache-commons-fileupload (MDVSA-2014:056)", "description": "Updated apache-commons-fileupload packages fix security vulnerability :\n\nIt was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition (CVE-2014-0050).\n\nTomcat 7 includes an embedded copy of the Apache Commons FileUpload package, and was affected as well.\n\nAdditionally a build problem with maven was discovered, fixed maven packages is also being provided with this advisory.", "published": "2014-03-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=73003", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-10-29T13:39:43"}], "amazon": [{"id": "ALAS-2014-312", "type": "amazon", "title": "Medium: tomcat7", "description": "**Issue Overview:**\n\nMultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. \n\n \n**Affected Packages:** \n\n\ntomcat7\n\n \n**Issue Correction:** \nRun _yum update tomcat7_ to update your system. \n\n \n**New Packages:**\n \n \n noarch: \n tomcat7-docs-webapp-7.0.47-1.38.amzn1.noarch \n tomcat7-7.0.47-1.38.amzn1.noarch \n tomcat7-lib-7.0.47-1.38.amzn1.noarch \n tomcat7-webapps-7.0.47-1.38.amzn1.noarch \n tomcat7-el-2.2-api-7.0.47-1.38.amzn1.noarch \n tomcat7-javadoc-7.0.47-1.38.amzn1.noarch \n tomcat7-jsp-2.2-api-7.0.47-1.38.amzn1.noarch \n tomcat7-admin-webapps-7.0.47-1.38.amzn1.noarch \n tomcat7-servlet-3.0-api-7.0.47-1.38.amzn1.noarch \n \n src: \n tomcat7-7.0.47-1.38.amzn1.src \n \n \n", "published": "2014-03-24T23:36:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-312.html", "cvelist": ["CVE-2014-0050"], "lastseen": "2016-09-28T21:04:13"}, {"id": "ALAS-2014-344", "type": "amazon", "title": "Medium: tomcat6", "description": "**Issue Overview:**\n\nIt was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. ([CVE-2013-4286 __](<https://access.redhat.com/security/cve/CVE-2013-4286>))\n\nIt was discovered that the fix for [CVE-2012-3544 __](<https://access.redhat.com/security/cve/CVE-2012-3544>) did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. ([CVE-2013-4322 __](<https://access.redhat.com/security/cve/CVE-2013-4322>))\n\nA denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. ([CVE-2014-0050 __](<https://access.redhat.com/security/cve/CVE-2014-0050>))\n\n \n**Affected Packages:** \n\n\ntomcat6\n\n \n**Issue Correction:** \nRun _yum update tomcat6_ to update your system. \n\n \n**New Packages:**\n \n \n noarch: \n tomcat6-servlet-2.5-api-6.0.39-1.4.amzn1.noarch \n tomcat6-lib-6.0.39-1.4.amzn1.noarch \n tomcat6-webapps-6.0.39-1.4.amzn1.noarch \n tomcat6-admin-webapps-6.0.39-1.4.amzn1.noarch \n tomcat6-6.0.39-1.4.amzn1.noarch \n tomcat6-javadoc-6.0.39-1.4.amzn1.noarch \n tomcat6-docs-webapp-6.0.39-1.4.amzn1.noarch \n tomcat6-jsp-2.1-api-6.0.39-1.4.amzn1.noarch \n tomcat6-el-2.1-api-6.0.39-1.4.amzn1.noarch \n \n src: \n tomcat6-6.0.39-1.4.amzn1.src \n \n \n", "published": "2014-05-21T10:45:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-344.html", "cvelist": ["CVE-2012-3544", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "lastseen": "2016-09-28T21:04:04"}], "jvn": [{"id": "JVN:14876762", "type": "jvn", "title": "JVN#14876762: Apache Commons FileUpload vulnerable to denial-of-service (DoS)", "description": "\n ## Description\n\nApache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop. \n \nAs of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.\n\n ## Impact\n\nProcessing a malformed request may cause the condition that the target system does not respond.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version that contains a fix fot this vulnerability: \n\n * [Apache Commons FileUpload 1.3.1](<http://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi>)\n * [Apache Tomcat 8.0.3](<http://www.apache.org/dist/tomcat/tomcat-8/v8.0.3/>)\n * [Apache Tomcat 7.0.52](<http://www.apache.org/dist/tomcat/tomcat-7/v7.0.52/>)\n * [Apache Struts 2.3.16.1](<http://struts.apache.org/download.cgi#struts23161>)\n**Apply the Patch** \nIn the developer's repository, the respective source code that contains a fix for this vulnerability has been released. \n\n * Apache Commons FileUpload: <http://svn.apache.org/r1565143>\n * Apache Tomcat 8: <http://svn.apache.org/r1565163>\n * Apache Tomcat 7: <http://svn.apache.org/r1565169>\n**Workaround** \nApplying the following workaround may mitigate the effect of this vulnerability. \n\n * Limit the Content-Type header size less than 4091 bytes\nFor more information, please refer to the developer's site. \n\n ## Products Affected\n\n * Commons FileUpload 1.0 to 1.3\n * Apache Tomcat 8.0.0-RC1 to 8.0.1\n * Apache Tomcat 7.0.0 to 7.0.50\n * Products that use Apache Commons FileUpload\nAccording to the developer, Apache Tomcat 6 and earlier are not affected. \n \nThe developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability. \nAccording to the developer, the following products may be affected. \n\n * Jenkins\n * JSPWiki\n * JXP\n * Lucene-Solr\n * onemind-commons\n * Spring\n * Stapler\n * Struts 1, 2\n * WSDL2c\n", "published": "2014-02-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://jvn.jp/en/jp/JVN14876762/index.html", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-03-23T17:09:40"}], "openvas": [{"id": "OPENVAS:1361412562310867519", "type": "openvas", "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2183", "description": "Check for the Version of apache-commons-fileupload", "published": "2014-02-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867519", "cvelist": ["CVE-2014-0050"], "lastseen": "2018-04-09T11:11:04"}, {"id": "OPENVAS:1361412562310804251", "type": "openvas", "title": "Apache Tomcat Content-Type Header Denial Of Service Vulnerability", "description": "This host is running Apache Tomcat and is prone to denial of service\n vulnerability.", "published": "2014-03-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804251", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-07-02T21:09:42"}, {"id": "OPENVAS:1361412562310702856", "type": "openvas", "title": "Debian Security Advisory DSA 2856-1 (libcommons-fileupload-java - denial of service)", "description": "It was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.", "published": "2014-02-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702856", "cvelist": ["CVE-2014-0050"], "lastseen": "2018-04-06T11:12:33"}, {"id": "OPENVAS:1361412562310850747", "type": "openvas", "title": "SuSE Update for jakarta-commons-fileupload SUSE-SU-2014:0548-1 (jakarta-commons-fileupload)", "description": "Check the version of jakarta-commons-fileupload", "published": "2015-10-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850747", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-12-12T11:15:38"}, {"id": "OPENVAS:1361412562310867523", "type": "openvas", "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2175", "description": "Check for the Version of apache-commons-fileupload", "published": "2014-02-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867523", "cvelist": ["CVE-2014-0050"], "lastseen": "2018-04-09T11:11:47"}, {"id": "OPENVAS:867519", "type": "openvas", "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2183", "description": "Check for the Version of apache-commons-fileupload", "published": "2014-02-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=867519", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-07-25T10:48:15"}, {"id": "OPENVAS:867523", "type": "openvas", "title": "Fedora Update for apache-commons-fileupload FEDORA-2014-2175", "description": "Check for the Version of apache-commons-fileupload", "published": "2014-02-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=867523", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-07-25T10:48:25"}, {"id": "OPENVAS:1361412562310120359", "type": "openvas", "title": "Amazon Linux Local Check: ALAS-2014-312", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120359", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-07-27T10:48:50"}, {"id": "OPENVAS:702856", "type": "openvas", "title": "Debian Security Advisory DSA 2856-1 (libcommons-fileupload-java - denial of service)", "description": "It was discovered that the Apache Commons FileUpload package for Java\ncould enter an infinite loop while processing a multipart request with\na crafted Content-Type, resulting in a denial-of-service condition.", "published": "2014-02-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=702856", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-07-26T08:48:50"}, {"id": "OPENVAS:1361412562310807039", "type": "openvas", "title": "Oracle Database Server Multiple Unspecified Vulnerabilities -07 Jan16", "description": "This host is running Oracle Database Server\n and is prone to multiple unspecified vulnerabilities.", "published": "2016-01-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807039", "cvelist": ["CVE-2014-0050", "CVE-2014-6483"], "lastseen": "2017-07-02T21:13:13"}], "exploitdb": [{"id": "EDB-ID:31615", "type": "exploitdb", "title": "Apache Commons FileUpload and Apache Tomcat - Denial-of-Service", "description": "Apache Commons FileUpload and Apache Tomcat - Denial-of-Service. CVE-2014-0050. Dos exploits for multiple platform", "published": "2014-02-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/31615/", "cvelist": ["CVE-2014-0050"], "lastseen": "2016-02-03T15:04:57"}], "suse": [{"id": "SUSE-SU-2014:0548-1", "type": "suse", "title": "Security update for jakarta-commons-fileupload (important)", "description": "This update fixes a security issue with\n jakarta-commons-fileupload:\n\n * bnc#862781: denial of service due to too-small buffer\n size used (CVE-2014-0050)\n", "published": "2014-04-17T21:04:15", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00015.html", "cvelist": ["CVE-2014-0050"], "lastseen": "2016-09-04T11:49:41"}], "seebug": [{"id": "SSV:84935", "type": "seebug", "title": "Apache Commons FileUpload and Apache Tomcat - Denial-of-Service", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-84935", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-11-19T16:36:25"}, {"id": "SSV:61443", "type": "seebug", "title": "Apache Commons FileUpload/Apache Tomcat\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "description": "BUGTRAQ ID: 65400\r\nCVE(CAN) ID: CVE-2014-0050\r\n\r\nApache Commons FileUpload\u8f6f\u4ef6\u5305\u53ef\u4ee5\u5411\u5c0f\u670d\u52a1\u7a0b\u5e8f\u548cWeb\u5e94\u7528\u6dfb\u52a0\u9ad8\u6027\u80fd\u7684\u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\u3002Apache Tomcat\u662f\u4e00\u4e2a\u6d41\u884c\u7684\u5f00\u653e\u6e90\u7801\u7684JSP\u5e94\u7528\u670d\u52a1\u5668\u7a0b\u5e8f\u3002\r\n\r\nApache\u5171\u4eab\u6587\u4ef6\u4e0a\u4f20\u5b58\u5728\u89e3\u6790\u7578\u5f62\u7684Content-Type\u5934\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u4f7f\u7528\u7279\u5236\u7684\u8bf7\u6c42\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u4f7f\u7a0b\u5e8f\u5d29\u6e83\u3002\n0\nCommons FileUpload 1.0-1.3\r\nApache Tomcat 8.0.0-RC1-8.0.1\r\nApache Tomcat 7.0.0-7.0.50\r\nApache Tomcat 6\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache\r\n-----\r\n\u5347\u7ea7\u5230Commons FileUpload 1.3.1, \u6216\u8005Tomcat 8.0.2, 7.0.51\u53ca\u66f4\u9ad8\u7248\u672c\u4fee\u590d\u6b64\u6f0f\u6d1e\uff1a\r\n\r\nhttp://commons.apache.org/", "published": "2014-02-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-61443", "cvelist": ["CVE-2014-0050"], "lastseen": "2017-11-19T17:35:36"}], "metasploit": [{"id": "MSF:AUXILIARY/DOS/HTTP/APACHE_COMMONS_FILEUPLOAD_DOS", "type": "metasploit", "title": "Apache Commons FileUpload and Apache Tomcat DoS", "description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0 through 1.3 via a specially crafted Content-Type header. Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50 and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also uses Commons FileUpload as part of the Manager application.", "published": "2014-02-22T13:56:59", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2014-0050"], "lastseen": "2018-04-23T14:38:49"}], "zdt": [{"id": "1337DAY-ID-21887", "type": "zdt", "title": "Apache Commons FileUpload and Apache Tomcat Denial of Service", "description": "Exploit for multiple platform in category dos / poc", "published": "2014-02-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/21887", "cvelist": ["CVE-2014-0050"], "lastseen": "2018-01-04T07:03:17"}], "debian": [{"id": "DSA-2856", "type": "debian", "title": "libcommons-fileupload-java -- denial of service", "description": "It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 1.2.2-1+deb6u2.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1.2.2-1+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1.3.1-1.\n\nWe recommend that you upgrade your libcommons-fileupload-java packages.", "published": "2014-02-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2856", "cvelist": ["CVE-2014-0050"], "lastseen": "2016-09-02T18:20:33"}, {"id": "DSA-2897", "type": "debian", "title": "tomcat7 -- security update", "description": "Multiple security issues were found in the Tomcat servlet and JSP engine:\n\n * [CVE-2013-2067](<https://security-tracker.debian.org/tracker/CVE-2013-2067>)\n\nFORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials.\n\n * [CVE-2013-2071](<https://security-tracker.debian.org/tracker/CVE-2013-2071>)\n\nA runtime exception in AsyncListener.onComplete() prevents the request from being recycled. This may expose elements of a previous request to a current request.\n\n * [CVE-2013-4286](<https://security-tracker.debian.org/tracker/CVE-2013-4286>)\n\nReject requests with multiple content-length headers or with a content-length header when chunked encoding is being used.\n\n * [CVE-2013-4322](<https://security-tracker.debian.org/tracker/CVE-2013-4322>)\n\nWhen processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited denial of service by streaming an unlimited amount of data to the server.\n\n * [CVE-2014-0050](<https://security-tracker.debian.org/tracker/CVE-2014-0050>)\n\nMultipart requests with a malformed Content-Type header could trigger an infinite loop causing a denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 7.0.28-4+deb7u1.\n\nFor the testing distribution (jessie), these problems have been fixed in version 7.0.52-1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 7.0.52-1.\n\nWe recommend that you upgrade your tomcat7 packages.", "published": "2014-04-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2897", "cvelist": ["CVE-2013-2071", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-2067", "CVE-2013-4286"], "lastseen": "2016-09-02T18:28:05"}], "oraclelinux": [{"id": "ELSA-2014-0429", "type": "oraclelinux", "title": "tomcat6 security update", "description": "[0:6.0.24-64]\n- Resolves: CVE-2014-0050\n[0:6.0.24-63]\n- Resolves: CVE-2013-4322 CVE-2013-4286", "published": "2014-04-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0429.html", "cvelist": ["CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "lastseen": "2016-09-04T11:16:52"}, {"id": "ELSA-2014-0686", "type": "oraclelinux", "title": "tomcat security update", "description": "[0:7.0.42-5]\n- Related: CVE-2013-4286\n- Related: CVE-2013-4322\n- Related: CVE-2014-0050\n- revisit patches for above.", "published": "2014-07-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0686.html", "cvelist": ["CVE-2014-0186", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "lastseen": "2016-09-04T11:16:07"}, {"id": "ELSA-2014-0865", "type": "oraclelinux", "title": "tomcat6 security and bug fix update", "description": "[0:6.0.24-72]\n- Related: CVE-2014-0075 - rebuild to generate javadoc\n- correctly. previous build generated 0-length javadoc\n[0:6.0.24-69]\n- Related: CVE-2014-0075 incomplete\n[0:6.0.24-68]\n- Related: CVE-2013-4322. arches needs to be specified\n- as in arches noarch, so docs/webapps will produce\n- full files. building for ppc will generate empty\n- javadoc.\n[0:6.0.24-67]\n- Related: CVE-2014-0050\n- Related: CVE-2013-4322\n[0:6.0.24-66]\n- Resolves: CVE-2014-0099\n- Resolves: CVE-2014-0096\n- Resolves: CVE-2014-0075\n[0:6.0.24-65]\n- Related: CVE-2014-0050 copy paste error", "published": "2014-07-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0865.html", "cvelist": ["CVE-2014-0099", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-0096", "CVE-2014-0075"], "lastseen": "2016-09-04T11:17:06"}, {"id": "ELSA-2017-2247", "type": "oraclelinux", "title": "tomcat security, bug fix, and enhancement update", "description": "[0:7.0.76-2]\n- Resolves: rhbz#1459747 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism\n- Resolves: rhbz#1441481 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used\n[0:7.0.76-1]\n- Resolves: rhbz#1414895 Rebase tomcat to the current release\n[0:7.0.69-10]\n- Related: rhbz#1368122\n[0:7.0.69-9]\n- Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header\n- Resolves: rhbz#1368122\n[0:7.0.69-7]\n- Resolves: rhbz#1362545\n[0:7.0.69-6]\n- Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service\n[0:7.0.69-5]\n- Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully\n[0:7.0.69-4]\n- Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service\n[0:7.0.69-3]\n- Resolves: rhbz#1347774 The security manager doesn't work correctly (JSPs cannot be compiled)\n[0:7.0.69-2]\n- Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat\n- Rebase Resolves: rhbz#1320853 Add HSTS support\n- Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions\n- Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet\n- Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation\n- Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure\n- Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue\n- Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()\n- Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms\n- Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak\n[0:7.0.69-1]\n- Resolves: rhbz#1287928 Rebase to tomcat 7.0.69\n- Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out\n- Resolves: rhbz#1277197 tomcat user has non-existing default shell set\n- Resolves: rhbz#1240279 The command tomcat-digest doesn't work with RHEL 7\n- Resolves: rhbz#1229476 Tomcat startup ONLY options\n- Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar\n- Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit\n- Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion\n- Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file\n[0:7.0.54-2]\n- Resolves: CVE-2014-0227\n[0:7.0.54-1]\n- Resolves: rhbz#1141372 - Remove systemv artifacts. Add new systemd\n- artifacts. Rebase on 7.0.54.\n[0:7.0.43-6]\n- Resolves: CVE-2014-0099\n- Resolves: CVE-2014-0096\n- Resolves: CVE-2014-0075\n[0:7.0.42-5]\n- Related: CVE-2013-4286\n- Related: CVE-2013-4322\n- Related: CVE-2014-0050\n- revisit patches for above.\n[0:7.0.42-4]\n- Related: rhbz#1056696 correct packaging for sbin tomcat\n[0:7.0.42-3]\n- Related: CVE-2013-4286. increment build number. missed doing\n- it.\n- Resolves: rhbz#1038183 remove BR for ant-nodeps. it's\n- no long used.\n[0:7.0.42-2]\n- Resolves: rhbz#1056673 Invocation of useradd with shell\n- other than sbin nologin\n- Resolves: rhbz#1056677 preun systemv scriptlet unconditionally\n- stops service\n- Resolves: rhbz#1056696 init.d tomcat does not conform to RHEL7\n- systemd rules. systemv subpackage is removed.\n- Resolves: CVE-2013-4286\n- Resolves: CVE-2013-4322\n- Resolves: CVE-2014-0050\n- Built for rhel-7 RC\n[0:7.0.42-1]\n- Resolves: rhbz#1051657 update to 7.0.42. Ant-nodeps is\n- deprecated.\n[07.0.40-3]\n- Mass rebuild 2013-12-27\n[0:7.0.40-1]\n- Updated to 7.0.40\n- Resolves: rhbz 956569 added missing commons-pool link\n[0:7.0.37-2]\n- Add depmaps for org.eclipse.jetty.orbit\n- Resolves: rhbz#917626\n[0:7.0.39-1]\n- Updated to 7.0.39\n[0:7.0.37-1]\n- Updated to 7.0.37\n[0:7.0.35-1]\n- Updated to 7.0.35\n- systemd SuccessExitStatus=143 for proper stop exit code processing\n[0:7.0.34-1]\n- Updated to 7.0.34\n- ecj >= 4.2.1 now required\n- Resolves: rhbz 889395 concat classpath correctly; chdir to \n[0:7.0.33-2]\n- Resolves: rhbz 883806 refix logdir ownership\n[0:7.0.33-1]\n- Updated to 7.0.33\n- Resolves: rhbz 873620 need chkconfig for update-alternatives\n[0:7.0.32-1]\n- Updated to 7.0.32\n- Resolves: rhbz 842620 symlinks to taglibs\n[0:7.0.29-1]\n- Updated to 7.0.29\n- Add pidfile as tmpfile\n- Use systemd for running as unprivileged user\n- Resolves: rhbz 847751 upgrade path was broken\n- Resolves: rhbz 850343 use new systemd-rpm macros\n[0:7.0.28-2]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild\n[0:7.0.28-1]\n- Updated to 7.0.28\n- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp\n- Resolves: rhbz 814900 Added tomcat-coyote POM\n- Resolves: rhbz 810775 Remove systemv stuff from %post scriptlet\n- Remove redhat-lsb R\n[0:7.0.27-2]\n- Fixed native download hack\n[0:7.0.27-1]\n- Updated to 7.0.27\n- Fixed jakarta-taglibs-standard BR and R\n[0:7.0.26-2]\n- Add more depmaps to J2EE apis to help jetty/glassfish updates\n[0:7.0.26-2]\n- Added the POM files for tomcat-api and tomcat-util (#803495)\n[0:7.0.26-1]\n- Updated to 7.0.26\n- Bug 790334: Change ownership of logdir for logrotate\n[0:7.0.25-4]\n- Bug 790694: Priorities of jsp, servlet and el packages updated.\n[0:7.0.25-3]\n- Dropped indirect dependecy to tomcat 5\n[0:7.0.25-2]\n- Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly\n[0:7.0.25-1]\n- Updated to 7.0.25\n- Removed EntityResolver patch (changes already in upstream sources)\n- Place poms and depmaps in the same package as jars\n- Added javax.servlet.descriptor to export-package of servlet-api\n- Move several chkconfig actions and reqs to systemv subpackage\n- New maven depmaps generation method\n- Add patch to support java7. (patch sent upstream).\n- Require java >= 1:1.6.0\n[0:7.0.23-5]\n- Exported javax.servlet.* packages in version 3.0 as 2.6 to make\n servlet-api compatible with Eclipse.\n[0:7.0.23-4]\n- Move jsvc support to subpackage\n[0:7.0.23-2]\n- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream).\n[0:7.0.23-3]\n- Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for\n starting tomcat with jsvc, which allows tomcat to perform some\n privileged operations (e.g. bind to a port < 1024) and then switch\n identity to a non-privileged user. Must add USE_JSVC='true' to\n /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.\n[0:7.0.23-1]\n- Updated to 7.0.23\n[0:7.0.22-2]\n- Move tomcat-juli.jar to lib package\n- Drop %update_maven_depmap as in tomcat6\n- Provide native systemd unit file ported from tomcat6\n[0:7.0.22-1]\n- Updated to 7.0.22\n[0:7.0.21-3.1]\n- rebuild (java), rel-eng#4932\n[0:7.0.21-3]\n- Fix basedir mode\n[0:7.0.21-2]\n- Add manifests for el-api, jasper-el, jasper, tomcat, and tomcat-juli.\n[0:7.0.21-1]\n- Updated to 7.0.21\n[0:7.0.20-3]\n- Require java = 1:1.6.0\n[0:7.0.20-2]\n- Require java < 1.7.0\n[0:7.0.20-1]\n- Updated to 7.0.20\n[0:7.0.19-1]\n- Updated to 7.0.19\n[0:7.0.16-1]\n- Updated to 7.0.16\n[0:7.0.14-3]\n- Added initial systemd service\n- Fix some paths\n[0:7.0.14-2]\n- Fixed http source link\n- Securify some permissions\n- Added licenses for el-api and servlet-api\n- Added dependency on jpackage-utils for the javadoc subpackage\n[0:7.0.14-1]\n- Updated to 7.0.14\n[0:7.0.12-4]\n- Provided local paths for libs\n- Fixed dependencies\n- Fixed update temp/work cleanup\n[0:7.0.12-3]\n- Fixed package groups\n- Fixed some permissions\n- Fixed some links\n- Removed old tomcat6 crap\n[0:7.0.12-2]\n- Package now named just tomcat instead of tomcat7\n- Removed Provides: tomcat-log4j\n- Switched to apache-commons-* names instead of jakarta-commons-* .\n- Remove the old changelog\n- BR/R java >= 1:1.6.0 , same for java-devel\n- Removed old tomcat6 crap\n[0:7.0.12-1]\n- Tomcat7", "published": "2017-08-07T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-2247.html", "cvelist": ["CVE-2015-5351", "CVE-2016-6796", "CVE-2014-0227", "CVE-2016-0714", "CVE-2016-3092", "CVE-2015-5345", "CVE-2016-0762", "CVE-2016-0763", "CVE-2014-0099", "CVE-2017-5647", "CVE-2013-4322", "CVE-2014-0050", "CVE-2015-5346", "CVE-2013-4286", "CVE-2015-5174", "CVE-2016-5018", "CVE-2014-7810", "CVE-2016-0706", "CVE-2017-5664", "CVE-2014-0096", "CVE-2014-0075", "CVE-2016-6794", "CVE-2016-6797"], "lastseen": "2017-08-08T04:23:44"}], "huawei": [{"id": "HUAWEI-SA-20140707-01-STRUTS2", "type": "huawei", "title": "Security Advisory-Apache Struts2 vulnerability on Huawei multiple products", "description": "Some versions of Apache Struts2 software used in Huawei devices have security vulnerabilities. A patch released for the software to fix vulnerabilities CVE-2014-0050 and CVE-2014-0094 has the risk of being bypassed. (Vulnerability ID: HWPSIRT-2014-0420)\nThis Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2014-0116.", "published": "2014-07-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.huawei.com/en/psirt/security-advisories/2014/hw-350733", "cvelist": ["CVE-2014-0116", "CVE-2014-0050", "CVE-2014-0094"], "lastseen": "2016-09-05T13:35:23"}], "vmware": [{"id": "VMSA-2014-0007", "type": "vmware", "title": "VMware product updates address security vulnerabilities in Apache Struts library", "description": "The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. \n \nCVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. \n \nCVE-2014-0050 may lead to a denial of service condition. \n \nvCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. \n \nvCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. \n \nWorkaround \n \nA workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. \n \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.\n", "published": "2014-06-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2014-0007.html", "cvelist": ["CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112"], "lastseen": "2016-09-04T11:19:32"}, {"id": "VMSA-2014-0008", "type": "vmware", "title": "VMware vSphere product updates to third party libraries", "description": "a. vCenter Server Apache Struts Update \n\n\nThe Apache Struts library is updated to address a security issue. \n \nThis issue may lead to remote code execution after authentication. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-0114 to this issue. \n \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.\n", "published": "2014-09-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2014-0008.html", "cvelist": ["CVE-2013-0242", "CVE-2014-0114", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-1914", "CVE-2013-4590"], "lastseen": "2016-09-04T11:19:31"}], "threatpost": [{"id": "VMWARE-PATCHES-APACHE-STRUTS-FLAWS-IN-VCOPS/106858", "type": "threatpost", "title": "VMware Patches Apache Struts Flaws in vCOPS", "description": "VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.\n\nAll of the vulnerabilities that the company [patched](<http://www.vmware.com/security/advisories/VMSA-2014-0007.html>) lie in the Apache Struts Java application framework, and the most serious of them is CVE-2014-0112, which allows an attacker to run arbitrary code.\n\n\u201cParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to \u201cmanipulate\u201d the ClassLoader and execute arbitrary code via a crafted request,\u201d the vulnerability [description](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0112>) says.\n\nApache [fixed](<https://struts.apache.org/announce.html>) the vulnerability in a new release of Struts back in April. The issue was created because of an incomplete patch for a previous vulnerability in Struts. The three Struts vulnerabilities all are addressed in the release of version 5.8.2 of VMware vCOPS, the company said.\n\nThe other two, less serious vulnerabilities fixed in the new version of vCOPS are CVE-2014-0050 and CVE-2014-0094. The first flaw is problem that could lead to a denial-of-service condition if exploited by a remote attacker.\n\n\u201cMultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop\u2019s intended exit conditions,\u201d the [advisory](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050>) says.\n\nCVE-2014-0094 is also remotely exploitable by an unauthenticated attacker, who could manipulate a component of Struts.\n\n\u201cThe ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \u201cmanipulate\u201d the ClassLoader via the class parameter, which is passed to the getClass method,\u201d the [advisory](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0094>) says.", "published": "2014-06-25T13:59:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://threatpost.com/vmware-patches-apache-struts-flaws-in-vcops/106858/", "cvelist": ["CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112"], "lastseen": "2016-09-04T20:51:54"}], "ubuntu": [{"id": "USN-2130-1", "type": "ubuntu", "title": "Tomcat vulnerabilities", "description": "It was discovered that Tomcat incorrectly handled certain inconsistent HTTP headers. A remote attacker could possibly use this flaw to conduct request smuggling attacks. (CVE-2013-4286)\n\nIt was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. (CVE-2013-4322)\n\nIt was discovered that Tomcat incorrectly applied the disableURLRewriting setting when handling a session id in a URL. A remote attacker could possibly use this flaw to conduct session fixation attacks. This issue only applied to Ubuntu 12.04 LTS. (CVE-2014-0033)\n\nIt was discovered that Tomcat incorrectly handled malformed Content-Type headers and multipart requests. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 12.10 and Ubuntu 13.10. (CVE-2014-0050)", "published": "2014-03-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/2130-1/", "cvelist": ["CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286", "CVE-2014-0033"], "lastseen": "2018-03-29T18:17:37"}], "centos": [{"id": "CESA-2014:0865", "type": "centos", "title": "tomcat6 security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0865\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was discovered that Apache Tomcat did not limit the length of chunk\nsizes when using chunked transfer encoding. A remote attacker could use\nthis flaw to perform a denial of service attack against Tomcat by streaming\nan unlimited quantity of data, leading to excessive consumption of server\nresources. (CVE-2014-0075)\n\nIt was found that Apache Tomcat did not check for overflowing values when\nparsing request content length headers. A remote attacker could use this\nflaw to perform an HTTP request smuggling attack on a Tomcat server located\nbehind a reverse proxy that processed the content length header correctly.\n(CVE-2014-0099)\n\nIt was found that the org.apache.catalina.servlets.DefaultServlet\nimplementation in Apache Tomcat allowed the definition of XML External\nEntities (XXEs) in provided XSLTs. A malicious application could use this\nto circumvent intended security restrictions to disclose sensitive\ninformation. (CVE-2014-0096)\n\nThe CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product\nSecurity.\n\nThis update also fixes the following bugs:\n\n* The patch that resolved the CVE-2014-0050 issue contained redundant code.\nThis update removes the redundant code. (BZ#1094528)\n\n* The patch that resolved the CVE-2013-4322 issue contained an invalid\ncheck that triggered a java.io.EOFException while reading trailer headers\nfor chunked requests. This update fixes the check and the aforementioned\nexception is no longer triggered in the described scenario. (BZ#1095602)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/020403.html\n\n**Affected packages:**\ntomcat6\ntomcat6-admin-webapps\ntomcat6-docs-webapp\ntomcat6-el-2.1-api\ntomcat6-javadoc\ntomcat6-jsp-2.1-api\ntomcat6-lib\ntomcat6-servlet-2.5-api\ntomcat6-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0865.html", "published": "2014-07-09T16:09:49", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-July/020403.html", "cvelist": ["CVE-2014-0099", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-0096", "CVE-2014-0075"], "lastseen": "2017-10-03T18:25:19"}, {"id": "CESA-2014:0429", "type": "centos", "title": "tomcat6 security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0429\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was found that when Tomcat processed a series of HTTP requests in which\nat least one request contained either multiple content-length headers, or\none content-length header with a chunked transfer-encoding header, Tomcat\nwould incorrectly handle the request. A remote attacker could use this flaw\nto poison a web cache, perform cross-site scripting (XSS) attacks, or\nobtain sensitive information from other requests. (CVE-2013-4286)\n\nIt was discovered that the fix for CVE-2012-3544 did not properly resolve a\ndenial of service flaw in the way Tomcat processed chunk extensions and\ntrailing headers in chunked requests. A remote attacker could use this flaw\nto send an excessively long request that, when processed by Tomcat, could\nconsume network bandwidth, CPU, and memory on the Tomcat server. Note that\nchunked transfer encoding is enabled by default. (CVE-2013-4322)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing JBoss Web to enter an infinite loop when\nprocessing such an incoming request. (CVE-2014-0050)\n\nAll Tomcat users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-April/020265.html\n\n**Affected packages:**\ntomcat6\ntomcat6-admin-webapps\ntomcat6-docs-webapp\ntomcat6-el-2.1-api\ntomcat6-javadoc\ntomcat6-jsp-2.1-api\ntomcat6-lib\ntomcat6-servlet-2.5-api\ntomcat6-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0429.html", "published": "2014-04-23T19:07:14", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-April/020265.html", "cvelist": ["CVE-2012-3544", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-4286"], "lastseen": "2017-10-03T18:26:03"}], "gentoo": [{"id": "GLSA-201412-29", "type": "gentoo", "title": "Apache Tomcat: Multiple vulnerabilities", "description": "### Background\n\nApache Tomcat is a Servlet-3.0/JSP-2.2 Container.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker may be able to cause a Denial of Service condition as well as obtain sensitive information, bypass protection mechanisms and authentication restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Tomcat 6.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-6.0.41\"\n \n\nAll Tomcat 7.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-7.0.56\"", "published": "2014-12-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201412-29", "cvelist": ["CVE-2012-3544", "CVE-2013-2071", "CVE-2012-5887", "CVE-2014-0099", "CVE-2014-0119", "CVE-2013-4322", "CVE-2012-4431", "CVE-2012-2733", "CVE-2014-0050", "CVE-2013-2067", "CVE-2013-4286", "CVE-2013-4590", "CVE-2014-0096", "CVE-2014-0075", "CVE-2012-3546", "CVE-2012-5886", "CVE-2014-0033", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2016-09-06T19:46:52"}], "oracle": [{"id": "ORACLE:CPUAPR2015-2365600", "type": "oracle", "title": "Oracle Critical Patch Update - April 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 98 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-04-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2014-0116", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2014-8275", "CVE-2015-2570", "CVE-2014-3570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2014-0094", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2014-0113", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0205", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "lastseen": "2018-04-18T20:23:52"}, {"id": "ORACLE:CPUJUL2014-1972956", "type": "oracle", "title": "Oracle Critical Patch Update - July 2014", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are generally cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 113 new security fixes across the product families listed below.\n\nPlease note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\nPlease note that on April 18, 2014, Oracle released a [Security Alert for CVE-2014-0160 OpenSSL \"Heartbleed\"](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html>). This Critical Patch Update includes an update to MySQL Enterprise Server 5.6 and this update includes a fix for vulnerability CVE-2014-0160. Customers of other Oracle products are strongly advised to apply the [fixes ](<http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html>) that were announced in the Security Alert for CVE-2014-0160.\n", "published": "2014-07-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2014-2482", "CVE-2012-3544", "CVE-2014-4224", "CVE-2014-4208", "CVE-2014-4213", "CVE-2014-4262", "CVE-2014-4242", "CVE-2014-2490", "CVE-2014-4226", "CVE-2014-4251", "CVE-2014-4263", "CVE-2014-4238", "CVE-2014-2481", "CVE-2013-3774", "CVE-2014-2480", "CVE-2014-4250", "CVE-2014-4260", "CVE-2014-2479", "CVE-2014-4218", "CVE-2014-4254", "CVE-2014-4258", "CVE-2014-4221", "CVE-2013-6449", "CVE-2014-4255", "CVE-2014-4253", "CVE-2014-4268", "CVE-2013-2172", "CVE-2014-4203", "CVE-2014-4265", "CVE-2014-4231", "CVE-2014-4201", "CVE-2014-4233", "CVE-2013-5855", "CVE-2014-4210", "CVE-2014-4229", "CVE-2013-5605", "CVE-2014-0224", "CVE-2014-4267", "CVE-2014-4266", "CVE-2014-2486", "CVE-2014-4270", "CVE-2014-0098", "CVE-2014-4214", "CVE-2014-2485", "CVE-2014-4222", "CVE-2013-1741", "CVE-2014-4257", "CVE-2014-4244", "CVE-2014-2494", "CVE-2014-2487", "CVE-2014-4205", "CVE-2014-4261", "CVE-2014-0436", "CVE-2013-1740", "CVE-2014-2493", "CVE-2014-4206", "CVE-2014-0099", "CVE-2013-6438", "CVE-2014-3470", "CVE-2014-2488", "CVE-2013-1739", "CVE-2014-4215", "CVE-2014-0119", "CVE-2014-1492", "CVE-2014-4209", "CVE-2013-6450", "CVE-2014-4245", "CVE-2013-5606", "CVE-2014-0114", "CVE-2014-0211", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-2461", "CVE-2014-1490", "CVE-2010-5298", "CVE-2014-0160", "CVE-2013-4286", "CVE-2014-0209", "CVE-2014-0210", "CVE-2014-4234", "CVE-2014-2489", "CVE-2014-0195", "CVE-2014-4269", "CVE-2014-0198", "CVE-2014-4216", "CVE-2014-4230", "CVE-2013-3751", "CVE-2014-4264", "CVE-2014-2477", "CVE-2014-4220", "CVE-2014-4237", "CVE-2014-4204", "CVE-2014-0096", "CVE-2014-4243", "CVE-2014-4217", "CVE-2014-4239", "CVE-2014-4248", "CVE-2014-0075", "CVE-2014-4211", "CVE-2014-2496", "CVE-2014-2483", "CVE-2014-4235", "CVE-2014-0033", "CVE-2014-4225", "CVE-2014-4241", "CVE-2014-4246", "CVE-2014-4207", "CVE-2014-4232", "CVE-2014-4256", "CVE-2014-1491", "CVE-2014-4227", "CVE-2014-4247", "CVE-2014-4252", "CVE-2014-2492", "CVE-2014-4228", "CVE-2014-4202", "CVE-2014-4212", "CVE-2014-2484", "CVE-2014-4236", "CVE-2014-4240", "CVE-2014-4219", "CVE-2014-2456", "CVE-2014-4249", "CVE-2013-1620", "CVE-2014-4223", "CVE-2014-4271", "CVE-2014-0221", "CVE-2014-2491", "CVE-2014-2495"], "lastseen": "2018-04-18T20:23:45"}, {"id": "ORACLE:CPUOCT2015-2367953", "type": "oracle", "title": "Oracle Critical Patch Update - October 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 153 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-10-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-1792", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2014-7923", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-3236", "CVE-2015-4868", "CVE-2014-3572", "CVE-2015-0206", "CVE-1999-0377", "CVE-2015-1789", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2014-8150", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-2522", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2015-0288", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-0285", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-3153", "CVE-2015-0207", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2014-8275", "CVE-2015-4869", "CVE-2015-0208", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2014-3570", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2014-8147", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2014-3707", "CVE-2015-4912", "CVE-2015-0293", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-1788", "CVE-2015-2633", "CVE-2015-4807", "CVE-2014-8146", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-0209", "CVE-2015-3183", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-0204", "CVE-2014-7926", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-1790", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-0291", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4854", "CVE-2015-0287", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-0289", "CVE-2015-4916", "CVE-2015-4826", "CVE-2015-0292", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-0290", "CVE-2015-0205", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-1787", "CVE-2014-3569", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "lastseen": "2018-04-18T20:24:08"}, {"id": "ORACLE:CPUOCT2014-1972960", "type": "oracle", "title": "Oracle Critical Patch Update - October 2014", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nOracle acknowledges Dana Taylor of netinfiltration.com for bringing to Oracle's attention a number of sites that were vulnerable to disclosure of sensitive information because Oracle CPU fixes were not applied to those sites for more than a year.\n\nThis Critical Patch Update contains 154 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that on September 26, 2014, Oracle released a [Security Alert for CVE-2014-7169 \"Bash\"](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html>) and other publicly disclosed vulnerabilities affecting GNU Bash. Customers of affected Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-7169.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "published": "2014-10-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2014-6495", "CVE-2014-6506", "CVE-2014-6500", "CVE-2014-2478", "CVE-2014-6564", "CVE-2014-6482", "CVE-2014-6536", "CVE-2014-6544", "CVE-2014-6558", "CVE-2014-6516", "CVE-2014-6560", "CVE-2014-6530", "CVE-2014-6505", "CVE-2014-4301", "CVE-2014-6463", "CVE-2014-6515", "CVE-2014-6460", "CVE-2014-6554", "CVE-2014-6539", "CVE-2014-4292", "CVE-2014-6487", "CVE-2014-6538", "CVE-2014-6493", "CVE-2014-4280", "CVE-2014-6488", "CVE-2014-4282", "CVE-2014-6519", "CVE-2014-2472", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6471", "CVE-2014-6501", "CVE-2014-6504", "CVE-2014-6534", "CVE-2014-6455", "CVE-2014-6459", "CVE-2014-6502", "CVE-2014-7169", "CVE-2013-5605", "CVE-2014-6472", "CVE-2014-0224", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-4284", "CVE-2014-6484", "CVE-2014-6476", "CVE-2014-6479", "CVE-2014-6535", "CVE-2014-6507", "CVE-2014-6503", "CVE-2014-6490", "CVE-2014-6557", "CVE-2014-6542", "CVE-2014-6454", "CVE-2014-4295", "CVE-2014-4291", "CVE-2014-6469", "CVE-2014-4278", "CVE-2014-6537", "CVE-2014-6486", "CVE-2014-6496", "CVE-2013-1741", "CVE-2014-6555", "CVE-2014-2476", "CVE-2014-6529", "CVE-2014-6562", "CVE-2013-1740", "CVE-2014-4293", "CVE-2014-6511", "CVE-2014-3470", "CVE-2013-1739", "CVE-2014-6475", "CVE-2014-6485", "CVE-2014-6559", "CVE-2014-6470", "CVE-2014-4274", "CVE-2014-4294", "CVE-2014-6531", "CVE-2014-0119", "CVE-2014-1492", "CVE-2014-6456", "CVE-2014-6547", "CVE-2014-2880", "CVE-2013-5606", "CVE-2014-0114", "CVE-2014-4310", "CVE-2014-6543", "CVE-2014-6464", "CVE-2014-6468", "CVE-2014-4297", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-6520", "CVE-2014-6551", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-6533", "CVE-2014-4276", "CVE-2014-4277", "CVE-2014-4288", "CVE-2014-6550", "CVE-2014-0195", "CVE-2014-4296", "CVE-2014-0198", "CVE-2013-4590", "CVE-2014-4290", "CVE-2014-6478", "CVE-2014-6553", "CVE-2014-6483", "CVE-2014-6473", "CVE-2014-0096", "CVE-2014-2475", "CVE-2014-4300", "CVE-2014-0075", "CVE-2014-6546", "CVE-2014-6465", "CVE-2014-4299", "CVE-2014-6491", "CVE-2014-6508", "CVE-2014-4289", "CVE-2014-6453", "CVE-2014-2473", "CVE-2014-4285", "CVE-2014-6522", "CVE-2014-0033", "CVE-2012-5615", "CVE-2014-6467", "CVE-2014-6523", "CVE-2014-6452", "CVE-2014-0095", "CVE-2014-6513", "CVE-2014-6474", "CVE-2014-1491", "CVE-2014-6489", "CVE-2014-2474", "CVE-2014-6563", "CVE-2014-6545", "CVE-2014-4281", "CVE-2014-4275", "CVE-2014-4287", "CVE-2014-6477", "CVE-2014-6552", "CVE-2014-6540", "CVE-2014-6494", "CVE-2014-6461", "CVE-2014-4283", "CVE-2014-6527", "CVE-2014-6462", "CVE-2014-6561", "CVE-2014-4298", "CVE-2014-6499", "CVE-2014-6512", "CVE-2014-0221", "CVE-2014-6498", "CVE-2014-6497"], "lastseen": "2018-04-18T20:23:49"}, {"id": "ORACLE:CPUJAN2015-1972971", "type": "oracle", "title": "Oracle Critical Patch Update - January 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-03-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "lastseen": "2018-04-18T20:23:51"}, {"id": "ORACLE:CPUOCT2017-3236626", "type": "oracle", "title": "Oracle Critical Patch Update - October 2017", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2310031.1>).\n\nPlease note that on September 22, 2017, Oracle released [Security Alert for CVE-2017-9805](<http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html>). Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "published": "2017-10-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2017-10324", "CVE-2017-10167", "CVE-2017-10014", "CVE-2017-10417", "CVE-2017-10037", "CVE-2015-5351", "CVE-2015-5254", "CVE-2017-10270", "CVE-2017-10387", "CVE-2017-10360", "CVE-2015-1792", "CVE-2017-10321", "CVE-2017-10060", "CVE-2015-0235", "CVE-2015-1793", "CVE-2017-10404", "CVE-2017-10311", "CVE-2017-10421", "CVE-2017-10353", "CVE-2017-10260", "CVE-2017-10203", "CVE-2016-9840", "CVE-2017-10419", "CVE-2017-10424", "CVE-2017-10399", "CVE-2017-10293", "CVE-2015-3197", "CVE-2017-10299", "CVE-2017-10158", "CVE-2017-10379", "CVE-2017-10414", "CVE-2017-10054", "CVE-2017-10357", "CVE-2017-10197", "CVE-2017-10361", "CVE-2017-10356", "CVE-2016-5019", "CVE-2017-10322", "CVE-2017-10323", "CVE-2017-10066", "CVE-2014-3572", "CVE-2017-5709", "CVE-2016-6306", "CVE-2017-5462", "CVE-2014-3613", "CVE-2017-7502", "CVE-2015-7181", "CVE-2015-0206", "CVE-2017-10369", "CVE-2015-1789", "CVE-2016-2183", "CVE-2017-10349", "CVE-2017-10284", "CVE-2017-10294", "CVE-2017-10325", "CVE-2017-10416", "CVE-2015-0286", "CVE-2017-10341", "CVE-2017-10420", "CVE-2017-10418", "CVE-2017-10367", "CVE-2016-2178", "CVE-2017-10164", "CVE-2013-1903", "CVE-2017-10400", "CVE-2017-3167", "CVE-2017-10281", "CVE-2015-3195", "CVE-2017-10351", "CVE-2017-10359", "CVE-2017-10381", "CVE-2017-10406", "CVE-2017-10348", "CVE-2017-10372", "CVE-2014-8714", "CVE-2017-10034", "CVE-2017-10328", "CVE-2016-0714", "CVE-2016-3092", "CVE-2014-3571", "CVE-2017-10397", "CVE-2017-10388", "CVE-2017-10330", "CVE-2017-10407", "CVE-2014-0076", "CVE-2017-10033", "CVE-2017-10342", "CVE-2017-10415", "CVE-2017-10408", "CVE-2016-6302", "CVE-2017-10344", "CVE-2017-10354", "CVE-2017-10338", "CVE-2017-10296", "CVE-2017-10292", "CVE-2017-10402", "CVE-2014-3587", "CVE-2017-10306", "CVE-2017-10365", "CVE-2017-10337", "CVE-2017-10426", "CVE-2016-8745", "CVE-2016-2177", "CVE-2017-10380", "CVE-2015-0288", "CVE-2017-10332", "CVE-2017-10378", "CVE-2014-0224", "CVE-2017-10026", "CVE-2017-10276", "CVE-2016-0635", "CVE-2017-10409", "CVE-2017-10166", "CVE-2017-10427", "CVE-2017-10422", "CVE-2015-3194", "CVE-2017-10355", "CVE-2017-10163", "CVE-2016-6515", "CVE-2017-10326", "CVE-2015-0285", "CVE-2016-2107", "CVE-2017-10153", "CVE-2016-7055", "CVE-2017-10382", "CVE-2015-7501", "CVE-2017-10364", "CVE-2017-10319", "CVE-2015-3253", "CVE-2017-3731", "CVE-2016-6307", "CVE-2016-0701", "CVE-2017-10398", "CVE-2017-10051", "CVE-2017-10308", "CVE-2017-10320", "CVE-2017-10287", "CVE-2017-10412", "CVE-2017-10334", "CVE-2016-9842", "CVE-2016-2834", "CVE-2017-10283", "CVE-2015-0899", "CVE-2017-10152", "CVE-2017-10264", "CVE-2016-1182", "CVE-2014-0065", "CVE-2016-0763", "CVE-2015-0207", "CVE-2017-10155", "CVE-2017-10271", "CVE-2017-10286", "CVE-2017-10304", "CVE-2016-6308", "CVE-2016-6816", "CVE-2016-7433", "CVE-2014-4342", "CVE-2017-5662", "CVE-2014-8275", "CVE-2016-2180", "CVE-2017-10411", "CVE-2017-10313", "CVE-2017-10194", "CVE-2015-7182", "CVE-2015-0208", "CVE-2015-2808", "CVE-2017-10347", "CVE-2014-3570", "CVE-2017-10227", "CVE-2015-7575", "CVE-2017-10370", "CVE-2017-10261", "CVE-2017-10425", "CVE-2017-5706", "CVE-2015-3196", "CVE-2017-10428", "CVE-2014-3470", "CVE-2017-10362", "CVE-2017-10309", "CVE-2016-2181", "CVE-2017-10391", "CVE-2016-6304", "CVE-2015-3193", "CVE-2017-10263", "CVE-2014-3538", "CVE-2017-10403", "CVE-2014-0114", "CVE-2017-10159", "CVE-2017-10410", "CVE-2017-3732", "CVE-2017-10383", "CVE-2017-10339", "CVE-2017-10340", "CVE-2014-0050", "CVE-2017-10327", "CVE-2017-10396", "CVE-2017-10300", "CVE-2014-3707", "CVE-2014-0064", "CVE-2017-10343", "CVE-2015-0293", "CVE-2017-10165", "CVE-2017-10316", "CVE-2017-3445", "CVE-2017-10373", "CVE-2016-1979", "CVE-2017-10363", "CVE-2017-10352", "CVE-2016-2381", "CVE-2014-8713", "CVE-2017-10279", "CVE-2015-7183", "CVE-2013-0255", "CVE-2017-10314", "CVE-2017-9805", "CVE-2015-1788", "CVE-2017-10055", "CVE-2014-0195", "CVE-2014-0198", "CVE-2017-10161", "CVE-2016-7052", "CVE-2015-0209", "CVE-2014-0063", "CVE-2016-1950", "CVE-2017-10333", "CVE-2015-0204", "CVE-2016-0706", "CVE-2013-0248", "CVE-2017-3733", "CVE-2017-5664", "CVE-2017-10312", "CVE-2017-10366", "CVE-2014-0060", "CVE-2017-10318", "CVE-2016-7429", "CVE-2016-1181", "CVE-2017-10268", "CVE-2017-10285", "CVE-2017-3446", "CVE-2017-10392", "CVE-2017-10413", "CVE-2016-9843", "CVE-2013-2566", "CVE-2016-8735", "CVE-2015-1790", "CVE-2017-10394", "CVE-2017-9788", "CVE-2017-10350", "CVE-2016-6305", "CVE-2016-6303", "CVE-2017-10275", "CVE-2017-10274", "CVE-2017-10190", "CVE-2013-1902", "CVE-2017-10315", "CVE-2015-0291", "CVE-2017-10317", "CVE-2017-10389", "CVE-2017-10385", "CVE-2017-10154", "CVE-2017-10395", "CVE-2017-3588", "CVE-2014-4345", "CVE-2017-10162", "CVE-2003-1418", "CVE-2016-2182", "CVE-2017-10358", "CVE-2017-10310", "CVE-2017-10077", "CVE-2017-10346", "CVE-2014-0062", "CVE-2017-10401", "CVE-2015-0287", "CVE-2017-7668", "CVE-2017-3444", "CVE-2017-10295", "CVE-2017-10393", "CVE-2017-10423", "CVE-2017-10280", "CVE-2017-5461", "CVE-2016-10165", "CVE-2014-0066", "CVE-2015-0289", "CVE-2016-9841", "CVE-2015-7940", "CVE-2017-3169", "CVE-2017-10065", "CVE-2016-5285", "CVE-2017-10368", "CVE-2015-0292", "CVE-2017-10375", "CVE-2017-10384", "CVE-2014-0107", "CVE-2017-10050", "CVE-2016-3506", "CVE-2017-10345", "CVE-2017-10303", "CVE-2017-10302", "CVE-2017-10259", "CVE-2017-10265", "CVE-2015-0290", "CVE-2017-3730", "CVE-2015-0205", "CVE-2017-10329", "CVE-2016-2179", "CVE-2017-10405", "CVE-2017-10277", "CVE-2016-6814", "CVE-2013-1900", "CVE-2015-1787", "CVE-2015-4852", "CVE-2014-0061", "CVE-2014-3569", "CVE-2017-10386", "CVE-2015-1791", "CVE-2017-10336", "CVE-2017-10335", "CVE-2016-7431", "CVE-2017-7679", "CVE-2014-0221", "CVE-2017-10331", "CVE-2017-10099"], "lastseen": "2018-04-18T20:23:54"}, {"id": "ORACLE:CPUOCT2016-2881722", "type": "oracle", "title": "Oracle Critical Patch Update - October 2016", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "published": "2016-10-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2016-5606", "CVE-2016-5540", "CVE-2016-5630", "CVE-2016-5594", "CVE-2016-5575", "CVE-2016-5609", "CVE-2015-5351", "CVE-2016-8294", "CVE-2016-5565", "CVE-2016-5591", "CVE-2015-1792", "CVE-2016-5498", "CVE-2016-5624", "CVE-2016-5555", "CVE-2014-9296", "CVE-2015-0235", "CVE-2015-1793", "CVE-2016-1546", "CVE-2016-5560", "CVE-2016-5611", "CVE-2014-7809", "CVE-2016-3492", "CVE-2016-5612", "CVE-2015-3197", "CVE-2016-5602", "CVE-2016-5487", "CVE-2016-5505", "CVE-2016-5608", "CVE-2016-5625", "CVE-2016-6306", "CVE-2016-5619", "CVE-2016-5568", "CVE-2016-6663", "CVE-2015-1789", "CVE-2016-5527", "CVE-2016-2183", "CVE-2014-0227", "CVE-2016-5481", "CVE-2016-5518", "CVE-2016-8281", "CVE-2016-5631", "CVE-2015-0286", "CVE-2016-2178", "CVE-2016-8288", "CVE-2016-5635", "CVE-2016-5497", "CVE-2015-2568", "CVE-2016-5486", "CVE-2016-5628", "CVE-2015-3195", "CVE-2016-4979", "CVE-2016-5617", "CVE-2016-5621", "CVE-2016-3473", "CVE-2016-5521", "CVE-2016-5543", "CVE-2016-5585", "CVE-2016-5488", "CVE-2016-0714", "CVE-2014-3571", "CVE-2016-8292", "CVE-2016-5588", "CVE-2016-5559", "CVE-2016-5599", "CVE-2016-5539", "CVE-2016-5514", "CVE-2016-5479", "CVE-2016-6302", "CVE-2016-5504", "CVE-2016-6664", "CVE-2016-3551", "CVE-2016-5499", "CVE-2016-2177", "CVE-2016-5604", "CVE-2016-5574", "CVE-2014-9294", "CVE-2010-5312", "CVE-2014-0224", "CVE-2016-5616", "CVE-2016-8296", "CVE-2016-0635", "CVE-2016-2105", "CVE-2016-5557", "CVE-2016-5569", "CVE-2016-2107", "CVE-2016-5553", "CVE-2015-7501", "CVE-2016-5610", "CVE-2016-5577", "CVE-2015-3253", "CVE-2014-9295", "CVE-2016-6307", "CVE-2016-3562", "CVE-2016-1182", "CVE-2016-5566", "CVE-2016-5576", "CVE-2016-5582", "CVE-2016-0763", "CVE-2016-5493", "CVE-2016-5615", "CVE-2016-8285", "CVE-2016-6308", "CVE-2016-5633", "CVE-2016-2180", "CVE-2016-5534", "CVE-2016-5542", "CVE-2016-5513", "CVE-2016-5571", "CVE-2016-5567", "CVE-2016-5597", "CVE-2016-5525", "CVE-2016-8295", "CVE-2014-0099", "CVE-2016-5627", "CVE-2014-2532", "CVE-2016-5500", "CVE-2016-8287", "CVE-2016-2109", "CVE-2016-3505", "CVE-2016-2181", "CVE-2014-0119", "CVE-2016-6304", "CVE-2016-5482", "CVE-2016-5522", "CVE-2014-0114", "CVE-2016-5529", "CVE-2013-4322", "CVE-2016-5515", "CVE-2016-6662", "CVE-2014-0050", "CVE-2016-5595", "CVE-2013-2067", "CVE-2015-0500", "CVE-2016-5596", "CVE-2013-4286", "CVE-2016-1881", "CVE-2015-0382", "CVE-2099-1234", "CVE-2016-5587", "CVE-2016-5480", "CVE-2016-5600", "CVE-2016-5491", "CVE-2016-5586", "CVE-2016-5519", "CVE-2016-5605", "CVE-2015-1788", "CVE-2016-5632", "CVE-2016-5511", "CVE-2016-5578", "CVE-2016-5562", "CVE-2016-5489", "CVE-2016-7052", "CVE-2016-5490", "CVE-2016-5533", "CVE-2013-4590", "CVE-2016-5626", "CVE-2016-5583", "CVE-2016-5556", "CVE-2016-1950", "CVE-2016-5607", "CVE-2016-8291", "CVE-2016-0706", "CVE-2016-5492", "CVE-2012-1007", "CVE-2016-5570", "CVE-2016-5516", "CVE-2016-8283", "CVE-2016-5507", "CVE-2016-5537", "CVE-2016-5584", "CVE-2016-5598", "CVE-2015-0409", "CVE-2016-1181", "CVE-2013-2566", "CVE-2015-0423", "CVE-2014-0096", "CVE-2016-5508", "CVE-2016-2176", "CVE-2016-5524", "CVE-2015-1790", "CVE-2016-5510", "CVE-2014-0075", "CVE-2013-4444", "CVE-2016-6305", "CVE-2016-5530", "CVE-2016-5580", "CVE-2016-6303", "CVE-2016-5538", "CVE-2015-1351", "CVE-2016-5523", "CVE-2016-5613", "CVE-2016-5618", "CVE-2016-5601", "CVE-2016-2182", "CVE-2016-5554", "CVE-2016-5535", "CVE-2015-0433", "CVE-2016-8293", "CVE-2016-5589", "CVE-2016-5581", "CVE-2016-5531", "CVE-2016-5620", "CVE-2016-5495", "CVE-2016-5573", "CVE-2016-5564", "CVE-2016-5592", "CVE-2016-5532", "CVE-2015-7940", "CVE-2016-5526", "CVE-2016-5603", "CVE-2016-5517", "CVE-2016-5501", "CVE-2016-5502", "CVE-2016-5634", "CVE-2016-5512", "CVE-2016-5579", "CVE-2016-5561", "CVE-2016-8284", "CVE-2016-5593", "CVE-2016-8290", "CVE-2016-3081", "CVE-2016-2179", "CVE-2016-5503", "CVE-2016-2106", "CVE-2016-7440", "CVE-2016-5558", "CVE-2015-4852", "CVE-2014-9293", "CVE-2016-5536", "CVE-2015-1791", "CVE-2016-5563", "CVE-2016-8289", "CVE-2016-8286", "CVE-2016-6309", "CVE-2016-5572", "CVE-2016-5622", "CVE-2016-5629", "CVE-2016-5506", "CVE-2016-3495", "CVE-2016-5544", "CVE-2015-0411", "CVE-2015-0381"], "lastseen": "2018-04-18T20:24:12"}, {"id": "ORACLE:CPUJAN2016-2367955", "type": "oracle", "title": "Oracle Critical Patch Update - January 2016", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 248 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on November 10, 2015, Oracle released [Security Alert for CVE-2015-4852](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-4852. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2016-01-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2016-0571", "CVE-2016-0528", "CVE-2015-6013", "CVE-2015-4000", "CVE-2016-0608", "CVE-2016-0515", "CVE-2016-0514", "CVE-2016-0600", "CVE-2015-1792", "CVE-2016-0492", "CVE-2016-0611", "CVE-2016-0575", "CVE-2016-0544", "CVE-2016-0599", "CVE-2015-0235", "CVE-2016-0445", "CVE-2016-0500", "CVE-2016-0572", "CVE-2015-1793", "CVE-2016-0592", "CVE-2016-0435", "CVE-2016-0512", "CVE-2015-8126", "CVE-2016-0526", "CVE-2016-0457", "CVE-2016-0594", "CVE-2016-0498", "CVE-2016-0516", "CVE-2016-0580", "CVE-2016-0470", "CVE-2016-0444", "CVE-2016-0577", "CVE-2016-0440", "CVE-2016-0546", "CVE-2015-1789", "CVE-2016-0541", "CVE-2016-0560", "CVE-2016-0428", "CVE-2016-0447", "CVE-2016-0477", "CVE-2016-0568", "CVE-2016-0415", "CVE-2015-0286", "CVE-2016-0489", "CVE-2016-0559", "CVE-2016-0472", "CVE-2016-0578", "CVE-2016-0579", "CVE-2016-0561", "CVE-2014-3583", "CVE-2016-0412", "CVE-2015-3195", "CVE-2016-0449", "CVE-2016-0555", "CVE-2016-0481", "CVE-2016-0511", "CVE-2016-0605", "CVE-2015-4885", "CVE-2016-0455", "CVE-2015-4921", "CVE-2016-0534", "CVE-2016-0414", "CVE-2015-4924", "CVE-2016-0589", "CVE-2016-0474", "CVE-2016-0508", "CVE-2016-0465", "CVE-2016-0553", "CVE-2016-0582", "CVE-2016-0483", "CVE-2013-5855", "CVE-2016-0517", "CVE-2013-5704", "CVE-2016-0454", "CVE-2015-0288", "CVE-2016-0486", "CVE-2013-5605", "CVE-2016-0554", "CVE-2016-0542", "CVE-2016-0591", "CVE-2016-0433", "CVE-2016-0448", "CVE-2016-0506", "CVE-2016-0401", "CVE-2016-0416", "CVE-2016-0437", "CVE-2016-0550", "CVE-2016-0533", "CVE-2016-0403", "CVE-2015-4922", "CVE-2016-0566", "CVE-2016-0606", "CVE-2016-0510", "CVE-2016-0431", "CVE-2015-0285", "CVE-2016-0569", "CVE-2016-0459", "CVE-2016-0471", "CVE-2016-0564", "CVE-2016-0524", "CVE-2016-0563", "CVE-2016-0522", "CVE-2015-3153", "CVE-2016-0616", "CVE-2016-0614", "CVE-2013-1741", "CVE-2015-0207", "CVE-2016-0442", "CVE-2016-0493", "CVE-2016-0443", "CVE-2016-0618", "CVE-2016-0573", "CVE-2016-0527", "CVE-2016-0610", "CVE-2016-0609", "CVE-2016-0570", "CVE-2015-4926", "CVE-2015-0208", "CVE-2015-5307", "CVE-2016-0473", "CVE-2016-0518", "CVE-2013-1740", "CVE-2016-0567", "CVE-2015-7575", "CVE-2016-0558", "CVE-2016-0543", "CVE-2016-0463", "CVE-2016-0487", "CVE-2013-1739", "CVE-2016-0466", "CVE-2016-0462", "CVE-2016-0423", "CVE-2016-0596", "CVE-2016-0535", "CVE-2016-0509", "CVE-2016-0574", "CVE-2014-1492", "CVE-2016-0426", "CVE-2016-0460", "CVE-2016-0504", "CVE-2016-0521", "CVE-2016-0501", "CVE-2013-5606", "CVE-2016-0451", "CVE-2016-0482", "CVE-2015-4808", "CVE-2016-0539", "CVE-2014-0050", "CVE-2016-0404", "CVE-2016-0419", "CVE-2016-0494", "CVE-2015-0293", "CVE-2016-0552", "CVE-2016-0485", "CVE-2014-1490", "CVE-2016-0595", "CVE-2016-0402", "CVE-2016-0480", "CVE-2016-0478", "CVE-2016-0427", "CVE-2015-4919", "CVE-2016-0529", "CVE-2015-7183", "CVE-2016-0503", "CVE-2015-1788", "CVE-2016-0413", "CVE-2016-0476", "CVE-2016-0598", "CVE-2016-0556", "CVE-2015-0209", "CVE-2016-0422", "CVE-2016-0502", "CVE-2016-0601", "CVE-2013-2186", "CVE-2015-3183", "CVE-2015-4920", "CVE-2016-0441", "CVE-2016-0432", "CVE-2016-0484", "CVE-2016-0536", "CVE-2016-0576", "CVE-2015-0204", "CVE-2016-0540", "CVE-2016-0584", "CVE-2016-0537", "CVE-2016-0590", "CVE-2016-0565", "CVE-2016-0420", "CVE-2016-0557", "CVE-2016-0586", "CVE-2016-0417", "CVE-2016-0491", "CVE-2016-0424", "CVE-2015-8472", "CVE-2016-0450", "CVE-2016-0495", "CVE-2016-0520", "CVE-2016-0405", "CVE-2016-0488", "CVE-2015-1790", "CVE-2016-0525", "CVE-2016-0475", "CVE-2016-0499", "CVE-2016-0452", "CVE-2015-6014", "CVE-2016-0548", "CVE-2016-0519", "CVE-2016-0587", "CVE-2016-0461", "CVE-2016-0464", "CVE-2016-0409", "CVE-2016-0438", "CVE-2015-0291", "CVE-2016-0429", "CVE-2016-0497", "CVE-2014-3581", "CVE-2016-0607", "CVE-2015-8370", "CVE-2016-0439", "CVE-2015-0287", "CVE-2014-8109", "CVE-2016-0530", "CVE-2016-0456", "CVE-2016-0496", "CVE-2016-0551", "CVE-2016-0425", "CVE-2016-0421", "CVE-2016-0523", "CVE-2016-0430", "CVE-2015-0289", "CVE-2016-0597", "CVE-2016-0467", "CVE-2016-0581", "CVE-2016-0549", "CVE-2016-0458", "CVE-2014-1491", "CVE-2016-0538", "CVE-2016-0531", "CVE-2015-0292", "CVE-2016-0583", "CVE-2016-0411", "CVE-2016-0507", "CVE-2016-0490", "CVE-2016-0418", "CVE-2014-0107", "CVE-2016-0453", "CVE-2015-7744", "CVE-2016-0513", "CVE-2016-0436", "CVE-2016-0547", "CVE-2016-0588", "CVE-2015-0290", "CVE-2016-0434", "CVE-2016-0446", "CVE-2015-1787", "CVE-2016-0505", "CVE-2015-4852", "CVE-2016-0562", "CVE-2016-0585", "CVE-2015-4923", "CVE-2016-0406", "CVE-2015-1791", "CVE-2015-8104", "CVE-2016-0532", "CVE-2015-4925", "CVE-2015-6015", "CVE-2016-0545", "CVE-2016-0602"], "lastseen": "2018-04-18T20:23:57"}]}}

openSUSE Security Update : jakarta-commons-fileupload (openSUSE-SU-2014:0528-1)

Description

This jakarta-commons-fileupload update fixes the follwoing security and non security issues : bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050). Removed gcj part and deprecated macros. Moved from jpackage-utils to javapackage-tools.

This jakarta-commons-fileupload update fixes the follwoing security and non security issues :

bnc#862781: Fixed buffer overflow and resulting DoS (CVE-2014-0050).

Removed gcj part and deprecated macros.

Moved from jpackage-utils to javapackage-tools.