CVE-2014-0096
XML External Entity (XXE) vulnerability in org.apache.tomcat:tomcat
What is CVE-2014-0096 About?
This vulnerability is an XML External Entity (XXE) issue in Apache Tomcat's DefaultServlet. It allows remote attackers to bypass security-manager restrictions and read arbitrary files using crafted XSLT stylesheets. Exploitation is complex, requiring specific conditions regarding XML processing.
Affected Software
- org.apache.tomcat:tomcat
- >8.0.0, <8.0.6
- <6.0.40
- >7.0.0, <7.0.54
- org.apache.tomcat:tomcat-catalina
- >8.0.0, <8.0.6
- <6.0.40
- >7.0.0, <7.0.54
Technical Details
The `java/org/apache/catalina/servlets/DefaultServlet.java` in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets. This allows an attacker to craft a web application that includes an XML external entity declaration in conjunction with an entity reference within an XSLT stylesheet. When the vulnerable Tomcat instance processes this crafted XML, it resolves the external entity, allowing the attacker to read arbitrary files from the server's file system, thereby bypassing security-manager restrictions that would typically prevent such access. This is a classic XXE attack.
What is the Impact of CVE-2014-0096?
Successful exploitation may allow attackers to read arbitrary files from the server's file system, potentially leading to disclosure of sensitive configuration files, database credentials, or other confidential information.
What is the Exploitability of CVE-2014-0096?
Exploitation is of high complexity, requiring the ability to deploy a crafted web application or inject malicious XML into a server that uses the vulnerable DefaultServlet. It is a remote vulnerability. Authentication would likely be required to deploy a new web application, or specific application features might allow unauthenticated XML submission. The primary prerequisite is that the Tomcat instance is configured to process XSLT stylesheets in a manner that resolves external entities, and a security manager might be in place but is bypassed by this specific vulnerability. Risk increases if untrusted web applications are frequently deployed or if XML input is not robustly validated.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-0096?
Available Upgrade Options
- org.apache.tomcat:tomcat
- <6.0.40 → Upgrade to 6.0.40
- org.apache.tomcat:tomcat
- >7.0.0, <7.0.54 → Upgrade to 7.0.54
- org.apache.tomcat:tomcat
- >8.0.0, <8.0.6 → Upgrade to 8.0.6
- org.apache.tomcat:tomcat-catalina
- <6.0.40 → Upgrade to 6.0.40
- org.apache.tomcat:tomcat-catalina
- >7.0.0, <7.0.54 → Upgrade to 7.0.54
- org.apache.tomcat:tomcat-catalina
- >8.0.0, <8.0.6 → Upgrade to 8.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://svn.apache.org/viewvc?view=revision&revision=1585853
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
- https://osv.dev/vulnerability/GHSA-qprx-q2r7-3rx6
- http://secunia.com/advisories/59616
- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
- http://www.debian.org/security/2016/dsa-3552
- http://svn.apache.org/viewvc?view=revision&revision=1578637
- http://secunia.com/advisories/59678
- http://secunia.com/advisories/59835
- http://secunia.com/advisories/60729
What are Similar Vulnerabilities to CVE-2014-0096?
Similar Vulnerabilities: CVE-2013-0975 , CVE-2014-0050 , CVE-2017-12616 , CVE-2019-12411 , CVE-2020-1938
