Fixed in Apache Tomcat 6.0.41

Note: The issues below were fixed in Apache Tomcat 6.0.40 but the release vote for the 6.0.40 release candidate did not pass. Therefore, although users must download 6.0.41 to obtain a version that includes fixes for these issues, version 6.0.40 is not included in the list of affected versions.

Important: Denial of Service CVE-2014-0075

It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack.

This was fixed in revision 1579262.

This issue was reported to the Tomcat security team by David Jorm of the Red Hat Security Response Team on 28 February 2014 and made public on 27 May 2014.

Affects: 6.0.0-6.0.39

Important: Information disclosure CVE-2014-0096

The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities.

This was fixed in revision 1585853.

This issue was identified by the Tomcat security team on 27 February 2014 and made public on 27 May 2014.

Affects: 6.0.0-6.0.39

Important: Information disclosure CVE-2014-0099

The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header.

This was fixed in revision 1580473.

A test case that demonstrated the parsing bug was sent to the Tomcat security team on 13 March 2014 but no context was provided. The security implications were identified by the Tomcat security team the day the report was received and made public on 27 May 2014.

Affects: 6.0.0-6.0.39

Low: Information Disclosure CVE-2014-0119

In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.

This was fixed in revisions 1589640, 1593815 and 1593821.

This issue was identified by the Tomcat security team on 12 April 2014 and made public on 27 May 2014.

Affects: 6.0.0-6.0.39