CVE-2014-0096

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 6.0.40 Apache Tomcat versions 7.x prior to 7.0.53 Apache Tomcat versions 8.x prior to 8.0.4

Description The issue exists due to improper restriction of XSLT stylesheets in the default servlet of Apache Tomcat, allowing remote attackers to bypass security restrictions and read arbitrary files. This is related to an XML External Entity (XXE) issue, where a crafted web application can provide an XML external entity declaration in conjunction with an entity reference. The problem enables a malicious web application to bypass file access constraints imposed by the security manager via the use of external XML entities.

Recommendations For Apache Tomcat versions prior to 6.0.40, update to version 6.0.40 or later. For Apache Tomcat versions 7.x prior to 7.0.53, update to version 7.0.53 or later. For Apache Tomcat versions 8.x prior to 8.0.4, update to version 8.0.4 or later. As a temporary workaround, consider disabling the use of XSLT stylesheets in the default servlet until a patch is available. Restrict access to the default servlet to minimize the risk of exploitation.