Apache issues Tomcat patches
Versions 6, 7 and 8 contain bugs
Apache has patched a series of low-level bugs in Tomcat that allowed attackers to launch denial of service and bypass file access restrictions.
One of the information disclosure affecting version six (CVE-2014-0096) allowed a malicious web app to bypass file access constraints under certain conditions:
The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities.
One of the DoS bugs (CVE-2014-0075) was reported by Brisbane-based RedHat security engineer David Jorm and allowed attackers to send unlimited amounts of data to be sent to the server via a malformed chunk.
Users should upgrade to the latest versions to protect against the disclosures and vulnerabilities. ®