ID CVE-2014-0227
Summary java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 15-04-2019 - 16:29)
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1109196
    title CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment tomcat is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983005
        • comment tomcat is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686006
      • AND
        • comment tomcat-admin-webapps is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983011
        • comment tomcat-admin-webapps is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686016
      • AND
        • comment tomcat-docs-webapp is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983007
        • comment tomcat-docs-webapp is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686014
      • AND
        • comment tomcat-el-2.2-api is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983009
        • comment tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686024
      • AND
        • comment tomcat-javadoc is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983015
        • comment tomcat-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686012
      • AND
        • comment tomcat-jsp-2.2-api is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983017
        • comment tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686018
      • AND
        • comment tomcat-jsvc is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983023
        • comment tomcat-jsvc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686022
      • AND
        • comment tomcat-lib is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983021
        • comment tomcat-lib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686010
      • AND
        • comment tomcat-servlet-3.0-api is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983019
        • comment tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686020
      • AND
        • comment tomcat-webapps is earlier than 0:7.0.54-2.el7_1
          oval oval:com.redhat.rhsa:tst:20150983013
        • comment tomcat-webapps is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140686008
    rhsa
    id RHSA-2015:0983
    released 2015-05-12
    severity Moderate
    title RHSA-2015:0983: tomcat security update (Moderate)
  • bugzilla
    id 1109196
    title CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment tomcat6 is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991005
        • comment tomcat6 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335006
      • AND
        • comment tomcat6-admin-webapps is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991007
        • comment tomcat6-admin-webapps is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335022
      • AND
        • comment tomcat6-docs-webapp is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991009
        • comment tomcat6-docs-webapp is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335020
      • AND
        • comment tomcat6-el-2.1-api is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991011
        • comment tomcat6-el-2.1-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335024
      • AND
        • comment tomcat6-javadoc is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991019
        • comment tomcat6-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335012
      • AND
        • comment tomcat6-jsp-2.1-api is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991017
        • comment tomcat6-jsp-2.1-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335008
      • AND
        • comment tomcat6-lib is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991013
        • comment tomcat6-lib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335018
      • AND
        • comment tomcat6-servlet-2.5-api is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991021
        • comment tomcat6-servlet-2.5-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335010
      • AND
        • comment tomcat6-webapps is earlier than 0:6.0.24-83.el6_6
          oval oval:com.redhat.rhsa:tst:20150991015
        • comment tomcat6-webapps is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335014
    rhsa
    id RHSA-2015:0991
    released 2015-05-12
    severity Moderate
    title RHSA-2015:0991: tomcat6 security and bug fix update (Moderate)
  • rhsa
    id RHSA-2015:0675
  • rhsa
    id RHSA-2015:0720
  • rhsa
    id RHSA-2015:0765
rpms
  • tomcat-0:7.0.54-2.el7_1
  • tomcat-admin-webapps-0:7.0.54-2.el7_1
  • tomcat-docs-webapp-0:7.0.54-2.el7_1
  • tomcat-el-2.2-api-0:7.0.54-2.el7_1
  • tomcat-javadoc-0:7.0.54-2.el7_1
  • tomcat-jsp-2.2-api-0:7.0.54-2.el7_1
  • tomcat-jsvc-0:7.0.54-2.el7_1
  • tomcat-lib-0:7.0.54-2.el7_1
  • tomcat-servlet-3.0-api-0:7.0.54-2.el7_1
  • tomcat-webapps-0:7.0.54-2.el7_1
  • tomcat6-0:6.0.24-83.el6_6
  • tomcat6-admin-webapps-0:6.0.24-83.el6_6
  • tomcat6-docs-webapp-0:6.0.24-83.el6_6
  • tomcat6-el-2.1-api-0:6.0.24-83.el6_6
  • tomcat6-javadoc-0:6.0.24-83.el6_6
  • tomcat6-jsp-2.1-api-0:6.0.24-83.el6_6
  • tomcat6-lib-0:6.0.24-83.el6_6
  • tomcat6-servlet-2.5-api-0:6.0.24-83.el6_6
  • tomcat6-webapps-0:6.0.24-83.el6_6
refmap via4
bid 72717
bugtraq 20150209 [SECURITY] CVE-2014-0227 Apache Tomcat Request Smuggling
confirm
debian
  • DSA-3447
  • DSA-3530
fedora FEDORA-2015-2109
hp
  • HPSBUX03337
  • HPSBUX03341
  • SSRT102066
  • SSRT102068
mandriva
  • MDVSA-2015:052
  • MDVSA-2015:053
  • MDVSA-2015:084
mlist
  • [tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
sectrack 1032791
ubuntu
  • USN-2654-1
  • USN-2655-1
Last major update 15-04-2019 - 16:29
Published 16-02-2015 - 00:59
Back to Top