copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2010.0395 - [Win][UNIX/Linux] Apache Tomcat: Acc...
 

ESB-2010.0395 - [Win][UNIX/Linux] Apache Tomcat: Access confidential data - Remote/unauthenticated
Date: 23 April 2010
References: ESB-2010.0672  ASB-2012.0008  ESB-2013.0466  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.0395
           A vulnerability has been identified in Apache Tomcat
                               23 April 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Apache Tomcat 6.0.0 to 6.0.26
                  Apache Tomcat 5.5.0 to 5.5.29
Publisher:        Apache
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Access Confidential Data -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2010-1157  

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2010-1157: Apache Tomcat information disclosure vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - - Tomcat 6.0.0 to 6.0.26
- - - Tomcat 5.5.0 to 5.5.29
Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be
affected.

Description:
The "WWW-Authenticate" header for BASIC and DIGEST authentication
includes a realm name. If a <realm-name> element is specified for the
application in web.xml it will be used. However, a <realm-name> is not
specified then Tomcat will generate one using the code snippet:
request.getServerName() + ":" + request.getServerPort()
In some circumstances this can expose the local hostname or IP address
of the machine running Tomcat.

Example:
GET /application/j_security_check HTTP/1.0


HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="tomcat01:8080"
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Thu, 31 Dec 2009 12:18:11 GMT
Connection: close

Mitigation:
Administrators of web applications that use BASIC or DIGEST
authentication are recommended to set an appropriate realm name in the
web application's web.xml file.
Alternatively, the following patches may be used to change the default
realm to "Authentication required" (without the quotes):
- - - Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540
- - - Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541
These patches will be included in the next releases of Tomcat 5.5.x and
Tomcat 6.0.x. No release date has been set for the next Tomcat 5.5.x and
Tomcat 6.0.x releases.

Credit:
This issue was discovered by Deniz Cevik.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

The Apache Tomcat Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLz3o5AAoJEBDAHFovYFnn7NgP/jyjnqK98FfruhzL0eB/b748
7EYP8k//kbmq8SIYyDkHkmlGfDNE+epxLudgSLbwg8QJdNG50JHwjTzAcclPCyu6
jx3NuJVKxn8KloD3rmxhrIItLG/yQ50JP3tnNO3xC4pS4j8dzdrTS2lFPXxcna6e
o9rMUwPLTEsLvNhd93sUIpdXuLhG9TP7dOeAD737ybvmRcz612igGyyT3hVUeGsK
TvJ+uzZTLJi+Wz0UMRdseqsgp1OW2DeMyao67bPaUrbX9EfLA+yUfXV6TRByT4C5
S5BB3mTz8WBgWkscCmKB0mqmtiPfv7PxlRDfMyPAkFhezPAnL5UD4fSZ3Aes8rTO
IF6CM/lWXm+eMECVwuIh7RdiPJtpe/1ZTQ2EtAQ/JZOIoDX2sKNF92opGeNiZPp9
P78tfksI23tLNJeDcJmL1a2L1yP8pcvAnd6AhYwZPc+LoZBKOsqEMMDU9CmbT3LY
2Fyn8h5yV9Fql9TR9J87aB9BDcQ5vqtdJ17qO20ur54SockI/oNi45tpDf76sJQB
0iOVY1MDu9J4c3xvtmWrdsAZF8VFDhW8nXdKOATh2cVQg/P4aELW2eyGUbiL5hLZ
EWgiZRQWm815MqEwikbztMON4OipensBx1wNuKvj2VKs3VK8tkSuXigViOCTYo+c
mm73gFAt6VWTF5sbfTuA
=mtgX
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFL0Nlu/iFOrG6YcBERAvOBAJ9T7GP6rBVY/BA/nwXMhwjyK9NS6wCfYONY
wJ4wf4W/5NgvKWiFbQ5NXFg=
=7kH5
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/12727