Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1041.2 Security Vulnerabilities in Solaris Bundled Tomcat May Lead to Unauthorized Access to Data or Denial of Service (DoS) 12 October 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Solaris Bundled Tomcat Publisher: Sun Microsystems Operating System: Solaris OpenSolaris Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account CVE Names: CVE-2009-0783 CVE-2009-0781 CVE-2009-0580 CVE-2009-0033 CVE-2008-5515 Reference: ESB-2009.0559 ESB-2009.0530 ESB-2009.0211 Original Bulletin: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263529-1 Revision History: October 12 2009: Updated Contributing Factors and Resolution sections. Now Resolved. July 13 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Solution Type Sun Alert Solution 263529 : Security Vulnerabilities in Solaris Bundled Tomcat May Lead to Unauthorized Access to Data or Denial of Service (DoS) Bug ID 6849727, 6848375 Product Solaris 9 Operating System Solaris 10 Operating System OpenSolaris Date of Preliminary Release 09-Jul-2009 Date of Resolved Release 09-Oct-2009 SA Document Body Security Vulnerabilities in Solaris Bundled Tomcat .. (see below) 1. Impact There are five security vulnerabilities in the Tomcat JSP/Servlet container that affect Tomcat 5.5 bundled in Solaris 9 and Solaris 10 and Tomcat 6 bundled in OpenSolaris. The first vulnerability, Directory Traversal issue (CVE-2008-5515), may allow a remote unprivileged user who provides a specially crafted request to a servlet which is using a RequestDispatcher object to bypass access control and gain access to unauthorized data. The second security vulnerability is Denial of Service (CVE-2009-0033). A remote unprivileged user who provides specially crafted requests to Tomcat via the AJP (Apache JServ Protocol) connector when it's being used with Apache mod_jk load balancing, may cause Denial of Service (DoS) to this Tomcat service. The third vulnerability, bypassing access control (CVE-2009-0580), may allow a remote unprivileged user who provides a specially crafted URL to bypass access control and gain access to unauthorized data when FORM based authentication is used with the MemoryRealm, the DataSourceRealm or JDBCRealm. The fourth vulnerability, Cross Site Scripting (CVE-2009-0781), may allow a remote unprivileged user who provides a specially crafted HTTP request to the Tomcat example JSP application Calendar to inject arbitrary web script and thus gain access to unauthorized data. The fifth vulnerability, bypassing access control (CVE-2009-0783), may allow a user who has been granted permission to provide web applications which are served by the Tomcat instance, to view and modify content of other installed web applications by providing a crafted application. Additional information regarding these issues is available at: * Apache Tomcat 5.x vulnerabilities: http://tomcat.apache.org/security-5.html * Apache Tomcat 6.x vulnerabilities: http://tomcat.apache.org/security-6.html * CVE-2008-5515 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 * CVE-2009-0033 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 * CVE-2009-0580 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 * CVE-2009-0781 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781 * CVE-2009-0783 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 2. Contributing Factors These issues can occur in the following releases: SPARC Platform * Solaris 9 without patch 114016-05 * Solaris 10 without patch 122911-17 * OpenSolaris based upon builds snv_01 through snv_117 x86 Platform * Solaris 9 without patch 114017-05 * Solaris 10 without patch 122912-17 * OpenSolaris based upon builds snv_01 through snv_117 Note 1: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of OpenSolaris, the following command can be used: $ uname -v snv_111 Note 2: A system is only vulnerable to these issues if Tomcat has been configured and is running on the system. To determine if Tomcat 5.5 is installed on Solaris 10 or Solaris 9, a command such as the following can be used: $ pkginfo SUNWtcatr system SUNWtcatr Tomcat Servlet/JSP Container (root) Tomcat 5.5 can be configured to start in various different ways. For assistance in determining if Tomcat is configured to run on the system, consult the documentation which is usually available in the "/var/apache/tomcat/webapps/tomcat-docs" directory. To determine if Tomcat 6 is running on OpenSolaris, a command such as the following can be used: $ svcs tomcat6 STATE STIME FMRI online Jun_23 svc:/network/http:tomcat6 Note 3: A system is only vulnerable to the first issue (CVE-2008-5515), when servlet containers are making use of a RequestDispatcher object. To determine if such a servlet is installed, search the directory where the web applications are installed for the use of this object. For Tomcat 5.5 on Solaris 10 and Solaris 9 a command such as the following can be used: $ find /var/apache/tomcat55/webapps -exec grep RequestDispatcher {} \; -print getServletConfig().getServletContext().getRequestDispatcher("/jsptoserv/hello.jsp").forward(request, response); /var/apache/tomcat55/webapps/jsp-examples/WEB-INF/classes/servletToJsp.java For Tomcat 6 on OpenSolaris a command such as the following can be used:: $ find /var/tomcat6/webapps -exec grep RequestDispatcher {} \; -print getServletConfig().getServletContext().getRequestDispatcher("/jsp/jsptoserv/hello.jsp").forward(request, response); /var/tomcat6/webapps/examples/WEB-INF/classes/servletToJsp.java Note 4: A system is only vulnerable to the second issue (CVE-2009-0033) when Apache web server mod_jk load balancing is used. To determine if the mod_jk load balancing is used, a command such as the following can be run to search Jk worker file (JkWorkersFile is defined in the Apache web server configuration files) for balance_workers property. $ grep balance_workers /etc/apache/workers.properties worker.balancer.balance_workers=farm1,farm2 Note 5: Solaris 10 and 9 users of Tomcat 4.0 might be also vulnerable to these issues and they should read Sun Alert ID 239312. Note 6: Solaris 8 does not include support for Tomcat and so it is not impacted by these issues. 3. Symptoms There are no predictable symptoms that would indicate that these issues have been exploited. 4. Workaround There is no workaround for these issues please see Resolution below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 9 with patch 114016-05 or later * Solaris 10 with patch 122911-17 or later * OpenSolaris based upon builds snv_118 or later x86 Platform * Solaris 9 with patch 114017-05 or later * Solaris 10 with patch 122912-17 or later * OpenSolaris based upon builds snv_118 or later For more information on Security Sun Alerts, see Technical Instruction ID 213557 http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1 This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. Modification History 14-Jul-2009: Added Date of Preliminary Release. 09-Oct-2009: Updated Contributing Factors and Resolution sections. Now Resolved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFK0oRtNVH5XJJInbgRAqG3AJ0Ta61FlUQyROn+2y3j97r3ebowDACeNe4E Z3+FOr4evGk6V4/hbY4CNIY= =Orw4 -----END PGP SIGNATURE-----