ESB-2018.0542 - [Win][UNIX/Linux] Apache Tomcat: Unauthorised access - Remote/unauthenticated 2018-02-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0542
             Multiple vulnerabilities patched in Apache Tomcat
                             23 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Tomcat
Publisher:         Apache
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1304 CVE-2018-1305 

Original Bulletin: 
   http://tomcat.apache.org/security-9.html
   http://tomcat.apache.org/security-8.html
   http://tomcat.apache.org/security-7.html

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2018-1304 Security constraints mapped to context root are ignored

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.4
Apache Tomcat 8.5.0 to 8.5.27
Apache Tomcat 8.0.0.RC1 to 8.0.49
Apache Tomcat 7.0.0 to 7.0.84

Description:
The URL pattern of "" (the empty string) which exactly maps to the
context root was not correctly handled when used as part of a security
constraint definition. This caused the constraint to be ignored. It was,
therefore, possible for unauthorised users to gain access to web
application resources that should have been protected. Only security
constraints with a URL pattern of the empty string were affected.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- - Review security constraints and confirm none use a URL patten of ""
  (the empty string)
- - Upgrade to Apache Tomcat 9.0.5 or later
- - Upgrade to Apache Tomcat 8.5.28 or later
- - Upgrade to Apache Tomcat 8.0.50 or later
- - Upgrade to Apache Tomcat 7.0.85 or later

Credit:
This issue was reported publicly as bug 62067 and the security
implications identified by the Apache Tomcat Security Team.

History:
2018-02-23 Original advisory

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html


- --------------------------------------------------------------------------------


VE-2018-1305 Security constraint annotations applied too late

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.4
Apache Tomcat 8.5.0 to 8.5.27
Apache Tomcat 8.0.0.RC1 to 8.0.49
Apache Tomcat 7.0.0 to 7.0.84

Description:
Security constraints defined by annotations of Servlets were only
applied once a Servlet had been loaded. Because security constraints
defined in this way apply to the URL pattern and any URLs below that
point, it was possible - depending on the order Servlets were loaded -
for some security constraints not to be applied. This could have exposed
resources to users who were not authorised to access them.

Mitigation:
Users of the affected versions should apply one of the following
mitigations. Upgrade to:
- - Apache Tomcat 9.0.5 or later
- - Apache Tomcat 8.5.28 or later
- - Apache Tomcat 8.0.50 or later
- - Apache Tomcat 7.0.85 or later

Credit:
This issue was identified by the Apache Tomcat Security Team.

History:
2018-02-23 Original advisory

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWo+dxYx+lLeg9Ub1AQjWZhAAmgevmqPKIAiqKnIBOyHFlYSUib81lwky
xHkefOGXFyhShzytoJOFGRyBqfOJzf2mkSGxH4yNqO+xChFCOtLiiLXFV7d8EL5v
hLm1iOgE5ndfPPH3zyE/sDZD/SIrdyc8k3rToPCLrKWFQipFUqS314rEF3Wum9j8
Nj1NanUrN6Yu4NduM6h7cupGKyvPalF4jxSWHzpwWH2Ug6GqtO2NFboIVPK6wGTN
6OBSlafgKuk8hO4UjT16BMC3ERD66WjTPxNSsEsUXszHFguIUFkG+Ijd6aF/j5VP
s7tPVTud5DVWYPxihphRx9GXFnfxzdHHT4ifuAdSe+TJAnJ4cKtYo0y3RK5+fWKP
0sF1qqj7TTBsudwK276qtuvQeUUBM+OVBzfbFwwNR4JqTTh7BmCxzlvdpPCXppOD
xkZbdVTh0zO0Oq7xJ4Ifwcw/+DrM/l4H6+g/XPk55NnvCnnDZKQzK3IolJD6vm8f
2xu5KoWpQ6yhX9t0GmhMV9mCEtJpgX7g81sQDLC0hmjhK9Pnx5zwCol7IbvQmxSD
4c/2pOWDvQAeHM4BRAwTuV+OEk7kZ6AJHgOlsbX+cFirdV1+UIJTKSiU0gZCDDFq
6StqJv8LU9Q89zuZ3v9xLgiL5zsV4k5Dzb0tUWsF3OUoee1vV5xjoLkv5WoP6V5g
5gZ3b7elBkQ=
=vwt8
-----END PGP SIGNATURE-----

« Back to bulletins