CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.
Description:
When an application uses or tags to process untrusted
The Apache Tomcat team announces the immediate availability of Apache Standard
Taglib 1.2.3.
Apache Standard Taglib is an open source software implementation of the JSP
Standard Tag Library (JSTL) technology.
This release supports JSTL version 1.2 and includes bug-fixes and improvements
on the
On 26/02/2015 22:56, Christopher Schultz wrote:
> The solution is to put your into your application's
s/The solution/The best solution/
> context.xml and not into the site-wide defaults. Konstantin may not
> have spelled-out the solution, but he did give you all the information
> you needed to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Red,
On 2/26/15 5:28 PM, Red wrote:
> On 02/26/2015 12:29 PM, Konstantin Kolinko wrote:
>> 2015-02-26 19:28 GMT+03:00 Red :
>>> Thank You all who responded; Did not want to waste your time,
>>> hence delayed response.
>>>
>>> To make sure no custom
On 02/26/2015 12:29 PM, Konstantin Kolinko wrote:
> 2015-02-26 19:28 GMT+03:00 Red :
>> Thank You all who responded;
>> Did not want to waste your time, hence delayed response.
>>
>> To make sure no customization has been made on my end I have completely
>> rebuilt system: Install OS (Ubuntu 14.04.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 2/26/15 4:26 PM, Jan Tosovsky wrote:
> On 2015-02-26 Aurélien Terrestris wrote:
>>
>> It makes me remember this doc which is not bad for securing
>> Tomcat : https://www.owasp.org/index.php/Securing_tomcat
>>
>
> This is a good one. I've
On 2015-02-26 Aurélien Terrestris wrote:
>
> It makes me remember this doc which is not bad for securing Tomcat :
> https://www.owasp.org/index.php/Securing_tomcat
>
This is a good one. I've also found this:
http://server.dzone.com/articles/hacking-liferay-%E2%80%93-securing
It would be nice to
On 2015-02-26 Christopher Schultz wrote:
> On 2/26/15 5:23 AM, Aurélien Terrestris wrote:
> > I agree with Leon.
>
> As do I. Apache httpd can change the attack surface somewhat, but if
> requests can still come from an untrusted remote client through to the
> application server, then you still ha
On 02/26/2015 12:52 PM, Konstantin Kolinko wrote:
2015-02-26 19:26 GMT+03:00 Mark Shifman :
This is truly embarrassing since I have the manager running fine on tomcat
7.
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_manager_status&d=AwIBaQ&c=-dg2m7zWuuDZ0MUcV7Sdqw&r=oZ
2015-02-26 19:26 GMT+03:00 Mark Shifman :
> This is truly embarrassing since I have the manager running fine on tomcat
> 7.
>
> http://localhost:8080/manager/status
> returns
> 127.0.0.1 - - [26/Feb/2015:10:47:11 -0500] "GET /manager/status HTTP/1.1"
> 404 1022
>
> http://localhost:8080/manager/ht
2015-02-26 19:28 GMT+03:00 Red :
> Thank You all who responded;
> Did not want to waste your time, hence delayed response.
>
> To make sure no customization has been made on my end I have completely
> rebuilt system: Install OS (Ubuntu 14.04.2 LTS) including reformat of
> all drives, selected tomca
"I'm not sure how (or even if) you can have Java attempt to connect
with SSLv3 and then re-try with TLS."
I think it is possible, have a look on JSSE Reference Guide for
sun.security.ssl.allowUnsafeRenegotiation and
sun.security.ssl.allowLegacyHelloMessages, they're explaining how to
catch the SSL
OK,
When do you plan to release the next version ?
Thanks.
Didier.
-Message d'origine-
De : Mark Thomas [mailto:ma...@apache.org]
Envoyé : jeudi 26 février 2015 12:05
À : Tomcat Users List
Objet : Re: request.getServletContext.getContext("/") : return null with tomcat
7.0.59
On 26/02/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 2/26/15 11:26 AM, Mark Shifman wrote:
> This is truly embarrassing since I have the manager running fine
> on tomcat 7.
>
> http://localhost:8080/manager/status returns 127.0.0.1 - -
> [26/Feb/2015:10:47:11 -0500] "GET /manager/status HTTP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Deepak,
On 2/25/15 1:49 AM, dku...@ccilindia.co.in wrote:
>> Perhaps you disabled SSLv3 and a client is trying to connect
>> using SSLv3?
>
> We agree with your above statement. We have disabled SSLv3 on
> Tomcat server and our client is an exe whi
On 02/26/2015 11:26 AM, Mark Shifman wrote:
This is truly embarrassing since I have the manager running fine on tomcat 7.
https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_manager_status&d=AwIC-g&c=-dg2m7zWuuDZ0MUcV7Sdqw&r=oZj4zInar3jeBECJ7OuBEMWJwBrzGeex-klf3JCRGss&m=t8sx2
Thank You all who responded;
Did not want to waste your time, hence delayed response.
To make sure no customization has been made on my end I have completely
rebuilt system: Install OS (Ubuntu 14.04.2 LTS) including reformat of
all drives, selected tomcat7 and ssh server during install when asked.
This is truly embarrassing since I have the manager running fine on tomcat 7.
http://localhost:8080/manager/status
returns
127.0.0.1 - - [26/Feb/2015:10:47:11 -0500] "GET /manager/status HTTP/1.1" 404
1022
http://localhost:8080/manager/html
returns
127.0.0.1 - - [26/Feb/2015:11:00:40 -0500] "G
Good post Christopher ;)
It makes me remember this doc which is not bad for securing Tomcat :
https://www.owasp.org/index.php/Securing_tomcat
But it lacks some important information on Windows rights which could
be more restricted (I'll try to post something about it one day). And
others like :
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Aurélien,
On 2/26/15 5:23 AM, Aurélien Terrestris wrote:
> I agree with Leon.
As do I. Apache httpd can change the attack surface somewhat, but if
requests can still come from an untrusted remote client through to the
application server, then you s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Stephen,
On 2/25/15 3:23 PM, Owens, Stephen (ITD) wrote:
> For tomcat 8 using log4j and apache commons logging, what would be
> the correct values to specify in setenv.sh for:
>
> LOGGING_MANAGER LOGGING_CONFIG
>
> For a tomcat-7.0.26 installatio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 2/25/15 5:13 PM, Jan Tosovsky wrote:
> there are plenty resources mentioning it is a must to run tomcat as
> a dedicated user with limited permissions.
>
> Is it still true when tomcat doesn't run standalone, but via Apache
> web server con
On 26/02/2015 10:19, KAZMIERCZAK Didier wrote:
> Hi,
>
> We've a problem with the 7.0.59 release:
> request.getServletContext.getContext("/") now return null.
Known issue. Already fixed in 7.0.x for the next release.
> It seems that the root cause is
> http://issues.apache.org/bugzilla/show_
I agree with Leon. That said, a service account with low privileges
only gives filesystem protection ; interesting data is usually stored
in the database and you won't be more protected against SQL injections
or even against a modified jsp stored by the hacker (like in some old
STRUTS vulnerabiliti
Hi,
We've a problem with the 7.0.59 release:
request.getServletContext.getContext("/") now return null.
It was not the case with the 7.0.57 release.
How to test:
1/ File "test.jsp" with:
Hello World!
<%
ServletContext contexte = request.getServletContext().getContext("/");
St
25 matches
Mail list logo
