Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1041.2
Security Vulnerabilities in Solaris Bundled Tomcat May Lead to Unauthorized
Access to Data or Denial of Service (DoS)
12 October 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Solaris Bundled Tomcat
Publisher: Sun Microsystems
Operating System: Solaris
OpenSolaris
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Modify Arbitrary Files -- Existing Account
CVE Names: CVE-2009-0783 CVE-2009-0781 CVE-2009-0580
CVE-2009-0033 CVE-2008-5515
Reference: ESB-2009.0559
ESB-2009.0530
ESB-2009.0211
Original Bulletin:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263529-1
Revision History: October 12 2009: Updated Contributing Factors and Resolution
sections. Now Resolved.
July 13 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Solution Type Sun Alert
Solution 263529 : Security Vulnerabilities in Solaris Bundled Tomcat May
Lead to Unauthorized Access to Data or Denial of Service (DoS)
Bug ID
6849727, 6848375
Product
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris
Date of Preliminary Release
09-Jul-2009
Date of Resolved Release
09-Oct-2009
SA Document Body
Security Vulnerabilities in Solaris Bundled Tomcat .. (see below)
1. Impact
There are five security vulnerabilities in the Tomcat JSP/Servlet container
that affect Tomcat 5.5 bundled in Solaris 9 and Solaris 10 and Tomcat 6
bundled in OpenSolaris.
The first vulnerability, Directory Traversal issue (CVE-2008-5515), may allow a
remote unprivileged user who provides a specially crafted request to a servlet
which is using a RequestDispatcher object to bypass access control and gain
access to unauthorized data.
The second security vulnerability is Denial of Service (CVE-2009-0033). A
remote unprivileged user who provides specially crafted requests to Tomcat via
the AJP (Apache JServ Protocol) connector when it's being used with Apache
mod_jk load balancing, may cause Denial of Service (DoS) to this Tomcat
service.
The third vulnerability, bypassing access control (CVE-2009-0580), may allow a
remote unprivileged user who provides a specially crafted URL to bypass access
control and gain access to unauthorized data when FORM based authentication is
used with the MemoryRealm, the DataSourceRealm or JDBCRealm.
The fourth vulnerability, Cross Site Scripting (CVE-2009-0781), may allow a
remote unprivileged user who provides a specially crafted HTTP request to the
Tomcat example JSP application Calendar to inject arbitrary web script and thus
gain access to unauthorized data.
The fifth vulnerability, bypassing access control (CVE-2009-0783), may allow a
user who has been granted permission to provide web applications which are
served by the Tomcat instance, to view and modify content of other installed
web applications by providing a crafted application.
Additional information regarding these issues is available at:
* Apache Tomcat 5.x vulnerabilities: http://tomcat.apache.org/security-5.html
* Apache Tomcat 6.x vulnerabilities: http://tomcat.apache.org/security-6.html
* CVE-2008-5515 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
* CVE-2009-0033 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
* CVE-2009-0580 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
* CVE-2009-0781 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
* CVE-2009-0783 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform
* Solaris 9 without patch 114016-05
* Solaris 10 without patch 122911-17
* OpenSolaris based upon builds snv_01 through snv_117
x86 Platform
* Solaris 9 without patch 114017-05
* Solaris 10 without patch 122912-17
* OpenSolaris based upon builds snv_01 through snv_117
Note 1: OpenSolaris distributions may include additional bug fixes above
and beyond the build from which it was derived. To determine the base
build of OpenSolaris, the following command can be used:
$ uname -v
snv_111
Note 2: A system is only vulnerable to these issues if Tomcat has been
configured and is running on the system.
To determine if Tomcat 5.5 is installed on Solaris 10 or Solaris 9, a
command such as the following can be used:
$ pkginfo SUNWtcatr
system SUNWtcatr Tomcat Servlet/JSP Container (root)
Tomcat 5.5 can be configured to start in various different ways. For
assistance in determining if Tomcat is configured to run on the system,
consult the documentation which is usually available in the
"/var/apache/tomcat/webapps/tomcat-docs" directory.
To determine if Tomcat 6 is running on OpenSolaris, a command such as
the following can be used:
$ svcs tomcat6
STATE STIME FMRI
online Jun_23 svc:/network/http:tomcat6
Note 3: A system is only vulnerable to the first issue (CVE-2008-5515),
when servlet containers are making use of a RequestDispatcher object.
To determine if such a servlet is installed, search the directory where the
web applications are installed for the use of this object.
For Tomcat 5.5 on Solaris 10 and Solaris 9 a command such as the following can
be used:
$ find /var/apache/tomcat55/webapps -exec grep RequestDispatcher {} \; -print
getServletConfig().getServletContext().getRequestDispatcher("/jsptoserv/hello.jsp").forward(request, response);
/var/apache/tomcat55/webapps/jsp-examples/WEB-INF/classes/servletToJsp.java
For Tomcat 6 on OpenSolaris a command such as the following can be used::
$ find /var/tomcat6/webapps -exec grep RequestDispatcher {} \; -print
getServletConfig().getServletContext().getRequestDispatcher("/jsp/jsptoserv/hello.jsp").forward(request, response);
/var/tomcat6/webapps/examples/WEB-INF/classes/servletToJsp.java
Note 4: A system is only vulnerable to the second issue (CVE-2009-0033)
when Apache web server mod_jk load balancing is used. To determine if
the mod_jk load balancing is used, a command such as the following can
be run to search Jk worker file (JkWorkersFile is defined in the Apache
web server configuration files) for balance_workers property.
$ grep balance_workers /etc/apache/workers.properties
worker.balancer.balance_workers=farm1,farm2
Note 5: Solaris 10 and 9 users of Tomcat 4.0 might be also vulnerable to these
issues and they should read Sun Alert ID 239312.
Note 6: Solaris 8 does not include support for Tomcat and so it is not impacted
by these issues.
3. Symptoms
There are no predictable symptoms that would indicate that these issues have
been exploited.
4. Workaround
There is no workaround for these issues please see Resolution below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 9 with patch 114016-05 or later
* Solaris 10 with patch 122911-17 or later
* OpenSolaris based upon builds snv_118 or later
x86 Platform
* Solaris 9 with patch 114017-05 or later
* Solaris 10 with patch 122912-17 or later
* OpenSolaris based upon builds snv_118 or later
For more information on Security Sun Alerts, see Technical Instruction ID
213557 http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1
This Sun Alert notification is being provided to you on an "AS IS" basis. This
Sun Alert notification may contain information provided by third parties. The
issues described in this Sun Alert notification may or may not impact your
system(s). Sun makes no representations, warranties, or guarantees as to the
information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING
THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert
notification contains Sun proprietary and confidential information. It is being
provided to you pursuant to the provisions of your agreement to purchase
services from Sun, or, if you do not have such an agreement, the Sun.com Terms
of Use. This Sun Alert notification may only be used for the purposes
contemplated by these agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
CA 95054 U.S.A. All rights reserved.
Modification History
14-Jul-2009: Added Date of Preliminary Release.
09-Oct-2009: Updated Contributing Factors and Resolution sections. Now Resolved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFK0oRtNVH5XJJInbgRAqG3AJ0Ta61FlUQyROn+2y3j97r3ebowDACeNe4E
Z3+FOr4evGk6V4/hbY4CNIY=
=Orw4
-----END PGP SIGNATURE-----