CVE-2014-0096
Publication date 31 May 2014
Last updated 24 July 2024
Ubuntu priority
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
From the Ubuntu Security Team
It was discovered that Tomcat did not properly restrict XSLT stylesheets. An attacker could use this issue with a crafted web application to bypass security-manager restrictions and read arbitrary files.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tomcat6 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Fixed 6.0.39-1ubuntu0.1
|
|
| tomcat7 | 18.04 LTS bionic |
Not affected
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Fixed 7.0.52-1ubuntu0.1
|
|
| tomcat8 | 18.04 LTS bionic |
Not affected
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
Patch details
| Package | Patch details |
|---|---|
| tomcat6 | |
| tomcat7 |
References
Related Ubuntu Security Notices (USN)
- USN-2302-1
- Tomcat vulnerabilities
- 30 July 2014