Operating System:

[WIN][UNIX/Linux]

Published:

14 July 2011

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2011.0726 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0726
  Apache Tomcat Information disclosure and availability  vulnerabilities
                               14 July 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Apache Tomcat
Publisher:        The Apache Software Foundation
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Denial of Service   -- Remote with User Interaction
                  Unauthorised Access -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2011-2526  

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-2526: Apache Tomcat Information disclosure and availability
               vulnerabilities

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.18
Tomcat 6.0.0 to 6.0.32
Tomcat 5.5.0 to 5.0.33
Previous, unsupported versions may be affected
Additionally, these vulnerabilities only occur when all of the following
are true:
a) untrusted web applications are being used
b) the SecurityManager is used to limit the untrusted web applications
c) the HTTP NIO or HTTP APR connector is used
d) sendfile is enabled for the connector (this is the default)

Description:
Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
connectors. sendfile is used automatically for content served via the
DefaultServlet and deployed web applications may use it directly via
setting request attributes. These request attributes were not validated.
When running under a security manager, this lack of validation allowed a
malicious web application to do one or more of the following that would
normally be prevented by a security manager:
a) return files to users that the security manager should make inaccessible
b) terminate (via a crash) the JVM

Mitigation:
Affected users of all versions can mitigate these vulnerabilities by
taking any of the following actions:
a) undeploy untrusted web applications
b) switch to the HTTP BIO connector (which does not support sendfile)
c) disable sendfile be setting useSendfile="false" on the connector
d) apply the patch(es) listed on the Tomcat security pages (see references)
e) upgrade to a version where the vulnerabilities have been fixed
   Tomcat 7.0.x users may upgrade to 7.0.19 or later once released
   Tomcat 6.0.x users may upgrade to 6.0.33 or later once released
   Tomcat 5.5.x users may upgrade to 5.5.34 or later once released

Example:
Exposing the first 1000 bytes of /etc/passwd
HttpServletRequest.setAttribute(
        "org.apache.tomcat.sendfile.filename","/etc/passwd");
HttpServletRequest.setAttribute(
        "org.apache.tomcat.sendfile.start",Long.valueOf(0));
HttpServletRequest.setAttribute(
        "org.apache.tomcat.sendfile.end",Long.valueOf(1000));
Specifying a end point after the end of the file will trigger a JVM
crash with the HTTP APR connector and an infinite loop with the HTTP NIO
connector.

Credit:
These issues were identified by the Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

The Apache Tomcat Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOHbrCAAoJEBDAHFovYFnnUZsQANIh02dK4r0cYCwsD59Xvg0R
cCpx0MCzsrVBKU/fJ5nQtVTtZnOVfH2PnZBPFlYxQXpBCgIQh+ZIp9ntGdSNP0kH
e7XgHaG6NipfIPusnQyH8yYmcfRl4BDnQdHyrl1JqApDtqnzPJ4Re9SVQC5VymJP
i9DlvuV4atAdSCgOZzBb3+wMV0uoZqjXcUZrQEXCYBhtGFtOQM/JyMUa7iu5+FhI
AuUchlHw3N+nZ+b4QeXGdFowHMTlJoj0gv5eMCEMVfiaoM5COcaQYBRQxkbNhkfN
7zkcKKyDG2ARIJ7WB3Ncj7A4RfF2KY98q69px6RU2ho8umOycl32dw3wT1AtPWUx
3TkTgkN4FXDprCLp1r/csbYO15GSoI0selWzKxmOOuMIIamQ36HreUInZzXohuOJ
VSdR/LBekdfiLNkNtIwK7oeaZoYqPT14F15C+gkzw8a7ETzN6kyYwZz2+dnnWvxM
lV5WhEksulVfrfro6OBFI4k4KVyCq/QYRUH2WfyaRyUhRB8of6tnweB46upzzoAU
+YtyLPimURofJbcw4Ut4VBvjVJTdts3air32vCKxpfnjdn9Gd3GH3phjrsYzJHTl
fg3RcqrmV9I0gxLn5oWIMx17gOGpFOgSwMyGgm/WEJLyiEV5suSPFVjMFq3znj+7
zAlePYK10YSe5XiZ9g8F
=MeHU
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTh5dZu4yVqjM2NGpAQKZrg/+IMaLLJWYA9hvL9E9t6c4bRJSR82Bmk8O
FSbS5dlXh987jSBIbKgcHTlbIRdQA9aeQQSBlwX1xG2+h+VtUZd569OF+jurhXpo
3a8zWffEdedj3uyhYQ0FGhhQ9fI//ElkeUnx4nivZ282xJ1J2pOhi14ZrPoU+boa
0G+tlx8EBWE9VkIP4bdugLHQweBkNTKfIeDxi8brce+uyxtpx8PrEFT8I42Y6ZIb
UrQ7z9RhvFg96PWNAqZ5xazqsVOSsVY0N7wkekpmzT3vcTVy4u/jvYgwi9t3hJ2Y
BY48B1vlspEpYKZb7XSz2/TTRk+t5swtaX5pVQn6ru2nggrch4gB6GffmZ09MZPH
VFs+0Obs7RnAuk0aX/qd+GKjs9xwIhATPhli52JyowaMhbzj5IQ9zjGYqJfuioAm
eW+Jb0fV0Wvb8UcQbhSXmjgQMiV0e9U96f1NQr2IDmNAmyOvKwtOj1btkrCWHd80
ZwPF5OXQzVY1xWMVKas4BtajitjeomN5FUVoNCav6dNtWPqdX/s0iQxz07oEZq7n
aoVS8McKtRTGpEa6uKQPw2Z8g7Xuuatg3NLC+y3PlLYHKTE9mRlq/qO8JwrG2IMQ
aSxVVWkugmfGtG5bxEYtZR3Dknw1Ld5qSQZ66pIdvONX+7IP3e9IIBdLDg92hxWP
nhbk5RDOv3E=
=zKLy
-----END PGP SIGNATURE-----