Overview
========

The purpose of this update is provide information on the current
understanding so users are better informed when making decisions
regarding risk mitigation for this issue in their environment.

Work on the root cause is progressing but is still in a state of flux.
Discussion is focussed on workarounds that could be applied that would
allow server initiated renegotiation without exposing the participants
to the vulnerability described in CVE-2009-3555.


BIO Connector
=============

The HTTP BIO connector that ships with 6.0.20 and 5.5.28 supports client
and server initiated negotiation and is vulnerable to CVE-2009-3555.

A patch [1],[2] has been applied to trunk, 6.0.x and 5.5.x that provides
an option to disable renegotiation. This patch has an issue in that it
uses an asynchronous callback to close the connection when a handshake
is detected. It is theoretically possible for an attack to complete
before the connection is closed. When negotiation is disabled, both
server and client initiated attempts to renegotiate are logged.

An updated patch [3] has been applied to trunk and proposed for 6.0.x
and 5.5.x that resolves the asynchronous concerns but only logs server
initiated renegotiation.

Users of 6.0.20, 5.5.28 and earlier versions can apply either of the
patches. It will be necessary to build Tomcat from source to use these
patches.

Testing with both these patches has shown that using the connector
attributes clientAuth="want" and allowUnsafeLegacyRenegotiation="false"
provides a similar user experience during negotiation to
clientAuth="false" and allowUnsafeLegacyRenegotiation="true" although
this may vary by application.

It is anticipated that 6.0.21 and 5.5.29 releases will be made once the
situation stabilises and the Tomcat development team is confident that
further changes will not be required.

[1]http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc6.patch
[2]http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc5.patch
[3]http://svn.apache.org/viewvc?rev=882320&view=rev

NIO Connector
=============

The HTTP NIO connector that ships with 6.0.20 does not support client or
server initiated renegotiation and is therefore not vulnerable to
CVE-2009-3555.

As and when negotiation support is added to the NIO connector, it will
support the allowUnsafeLegacyRenegotiation connector attribute and
behave in a similar manner to the HTTP BIO connector.


APR / native Connector
======================

Behaviour of the APR/native connector depends on the version of the
APR/native connector and on the version of OpenSSL that the connector is
build with. Versions prior to APR/native 1.1.16 are not discussed.

The windows binaries available from the ASF have been built with the
following OpenSSL versions:

APR/native  OpenSSL
1.1.16      0.9.8i
1.1.17      0.9.8l
1.1.18      TBD - not yet released

Any version of the APR/native connector built with OpenSSl 0.9.8l will
not support client or server initiated negotiation and will, therefore,
not be vulnerable to CVE-2009-3555.

Client initiated negotiation is supported in 1.1.16 and 1.1.17. These
versions are, therefore, vulnerable to CVE-2009-3555 unless built with
OpenSSL 0.9.8l.

Client initiated negotiation has been disabled in 1.1.18. Therefore,
this version is not vulnerable to CVE-2009-3555 via client initiated
renegotiation although it may still be vulnerable via server initiated
renegotiation.

Server initiated renegotiation is supported in 1.1.17 onwards.
Therefore, 1.1.17 onwards is vulnerable to CVE-2009-3555 via server
initiated renegotiation unless the APR/native connector is built with
OpenSSL 0.9.8l.


Questions / comments
====================

Any questions or comments should be directed to the Tomcat users mailing
list in the first instance.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

A vulnerability in the TLS protocol has recently been made public [1]
that allows an attacker to inject arbitrary requests into an TLS stream.

The current understanding of the Tomcat developers is as follows:

BIO & NIO connectors using JSSE
These connectors are vulnerable when renegotiation is triggered by the
client or the server.
Server initiated re-negotiation can be limited by configuration
Server initiated re-negotiation could be prevented by a code change
Client initiated re-negotiation can not currently be prevented

APR/Native connector using OpenSSL
Vulnerable when renegotiation is triggered by the client or the server.
Server initiated re-negotiation is not supported prior to 1.1.17
Client initiated re-negotiation is supported but can not be prevented

OpenSSL 0.9.8l disables all negotiation by default


In terms of what this means for users:

BIO/NIO
- - We haven't yet (we are still looking) found a way to stop client
  initiated renegotiation. It may be necessary to wait for the JVM
  vendors to respond.

APR/native
- - Re-building any version of the APR/native connector with OpenSSL
  0.9.8l will protect against this vulnerability but any configurations
  that require renegotiation will break.
- - Version 1.1.17 of the APR/native connector will be released shortly.
  The binary versions will be built with OpenSSL 0.9.8l which will
  protect against this vulnerability but configurations that require
  renegotiation will break.

Supporting renegotiation whilst avoiding the vulnerability requires a
protocol fix. The Tomcat development team is examining possible
work-arounds that may provide an interim solution. These options include
porting r833582 from httpd to the APR/native connector which would
disable client triggered renegotiation for OpenSSL < 0.9.8l which may
help some users who can't easily change their OpenSSL version.

If you'd would like to join/follow the work-around discussions, please
join the Tomcat dev mailing list. Any significant developments in this
area will be posted to the Tomcat announce@ and users@ mailing lists.

Mark

[1] http://extendedsubset.com/?p=8
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJK+Ea6AAoJEBDAHFovYFnnjggP/RU6UpOmXDCzOG/neVmMI0RX
XMKMZdpph8TCdjOzOd1UdCGPK5q3U1CDvB7P96eYZ5R745YTT6Ct1hXETC++SAh2
Q6jRD2qNPXX7hA9JFallC6+PUjq+IaHknJQYGAFaHCEdvwocp8NYWxUSqg5yTc6U
toUclHntjEwXc6jpEeNwuU3An8WNf2rX5OV9IX17lS7mxtElfVVIM5o4PrkMV0Tn
5i3YpLXTzHIHZ3Wv6VOlsQy+X+JhM4GMWF+4wWgHzdUfQ3wCpUrmC/tOgsXp23j8
ITPqIcf5dsDsOEd9RAZRWoRPpgcJH3bypnmG65VpITRkjnvKq6GC1TcKXTdUBxER
0OwpAY2A/e6OzHpw68q0wn5deYKBEo+6DJ/rFmHCs4KYiw7WXpOQFsL5LXxuDfEr
7W79w1nEPAaXz6KGSGiEuPxyLtJafAP16ZtaITqzoI9Pn1bpl9iP/OK+2OTc/e+/
BF0vI0gh2ZD2AbktNZJLY8+i5FmF/jcJP6/SQLnFQl5AZQ6YhRNQl87bc4lEkZkm
IHIdJW28EbD/4V0Yex8MnAFIFEq/jyWe2LgUep0/j9LEkMKlFGpoNNgEQsA9E8ml
RR9adgTCESBN6cCCsn5CrYTlsTKyfxk/Db2inI7L/OM3zfQoCTQDFnxY1l13I+Dt
FiHrC9dgiTCEZL0fR69F
=xrMK
-----END PGP SIGNATURE-----

CVE-2009-3548: Apache Tomcat Windows Installer insecure default
administrative password

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20

The unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also
affected.

Description:
The Windows installer defaults to a blank password for the
administrative user. If this is not changed during the install process,
then by default a user is created with the name admin, roles admin and
manager and a blank password.

Mitigation:
Users of all Tomcat versions may mitigate this issue by one of the
following methods:
- Using the .zip or .tar.gz distributions
- Specifying a strong password for the admin user when using the
  Windows installer
- Removing the admin user from the tomcat-users.xml file after the
  Windows installer has completed
- Editing the tomcat-users.xml file to provide the admin user with
  a strong password after the Windows installer has completed

A patch for this issue [1] has been applied to trunk and will be
included in the next releases of 6.0.x and 5.5.x

Credit:
This issue was reported directly [2] to the tomcat users public mailing
list by David Horheim.
Security researchers are reminded that undisclosed vulnerabilities in
Apache Tomcat should, in the first instance, be reported to the private
security mailing list. [3]

References:
[1] http://svn.apache.org/viewvc?view=revision&revision=834047
[2] http://markmail.org/thread/wfu4nff5chvkb6xp
[3] http://tomcat.apache.org/security.html

Mark Thomas

The Apache Tomcat team announces (a bit late) the immediate availability
of Apache Tomcat 5.5.28 stable.

Apache Tomcat 5.5.28 incorporates numerous security updates and bug fixes.
Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-5.5-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-55.cgi

Thank you,
The Tomcat Team

The Apache Tomcat team is proud to announce the immediate availability
of Tomcat 4.1.40 stable. This build contains a small number of bug fixes
and two important and three low severity security fixes.

Please refer to the release notes for a complete list of changes.

Apache Tomcat 4 is an implementation of the Java Server Pages 1.2 and
Java Servlet 2.3 specifications.

Apache Tomcat 4.1.40 is very likely to be the last release of the 4.1.x
series. Users should be aware that if further security vulnerabilities
are reported in Apache Tomcat, the 4.1.x series will not be reviewed to
determine if the 4.1.x series is affected, neither will a further
release containing a security fix be made for the 4.1.x series. Users
still using the 4.1.x series are strongly encouraged to upgrade to the
latest stable release of the 6.0.x series, 6.0.20.

All Apache Tomcat releases will always be available from the Apache
archives.

Downloads: http://tomcat.apache.org/download-41.cgi

Security information: http://tomcat.apache.org/security-4.html

The Apache Tomcat Team


                     Cryptographic software notice
                     =============================

This distribution includes cryptographic software.  The country in
which you currently reside may have restrictions on the import,
possession, use, and/or re-export to another country, of
encryption software.  BEFORE using any encryption software, please
check your country's laws, regulations and policies concerning the
import, possession, or use, and re-export of encryption software, to
see if this is permitted.  See <http://www.wassenaar.org/> for more
information.

The U.S. Government Department of Commerce, Bureau of Industry and
Security (BIS), has classified this software as Export Commodity
Control Number (ECCN) 5D002.C.1, which includes information security
software using or performing cryptographic functions with asymmetric
algorithms.  The form and manner of this Apache Software Foundation
distribution makes it eligible for export under the License Exception
ENC Technology Software Unrestricted (TSU) exception (see the BIS
Export Administration Regulations, Section 740.13) for both object
code and source code.

The following provides more details on the included cryptographic
software:
  - Tomcat includes code designed to work with JSSE
  - Tomcat includes code designed to work with OpenSSL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated to add additional patches required for 5.5.x and 4.1.x

CVE-2008-5515: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
When using a RequestDispatcher obtained from the Request, the target
path was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.

Mitigation:
6.0.x users should upgrade to 6.0.20 or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=734734
5.5.x users should upgrade to 5.5.28 when released or apply these patches:
http://svn.apache.org/viewvc?view=rev&revision=782757
http://svn.apache.org/viewvc?view=rev&revision=783291
4.1.x users should upgrade to 4.1.40 when released or apply these patches:
http://svn.apache.org/viewvc?view=rev&revision=782763
http://svn.apache.org/viewvc?view=rev&revision=783292

Example:
For a page that contains:
<%
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +
    request.getParameter( "blah" ) ).forward( request, response );
%>

an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml

Credit:
This issue was discovered by Iida Minehiko, Fujitsu Limited

References:
http://tomcat.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkovmMwACgkQb7IeiTPGAkNPigCcDBEKxwuBoXnvixbqoqM8CIaN
VKYAni4kHySG2JmbYi1hz4xAGpgm36Gr
=7FT9
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-5515: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
When using a RequestDispatcher obtained from the Request, the target
path was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.

Mitigation:
6.0.x users should upgrade to 6.0.20 or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=734734
5.5.x users should upgrade to 5.5.28 when released or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=782757
4.1.x users should upgrade to 4.1.40 when released or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=782763

Example:
For a page that contains:
<%
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +
    request.getParameter( "blah" ) ).forward( request, response );
%>

an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml

Credit:
This issue was discovered by Iida Minehiko, Fujitsu Limited

References:
http://tomcat.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkotiBQACgkQb7IeiTPGAkMi6QCgnlzEt/7byUJo2YXGHMLj2ckH
rF8AoK8dmpZcxd5pV9VvEaPqm4xhXJPO
=bDV5
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated to clarify affected versions as they vary for each affected Realm.

CVE-2009-0580: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
MemoryRealm:
 Tomcat 4.1.0 to 4.1.39
 Tomcat 5.5.0 to 5.5.27
 Tomcat 6.0.0 to 6.0.18
DataSourceRealm:
 Tomcat 4.1.17 to 4.1.31
 Tomcat 5.5.0  to 5.5.5
JDBCRealm:
 Tomcat 4.1.0 to 4.1.31
 Tomcat 5.5.0 to 5.5.5

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords. The attack is possible if
form based authenticiaton (j_security_check) with one of the following
authentication realms is used:
 * MemoryRealm
 * DataSourceRealm
 * JDBCRealm

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
 - apply this patch http://svn.apache.org/viewvc?rev=747840&view=rev
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781379&view=rev
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781382&view=rev

Example:
The following POST request should trigger an error (500 server error or
empty response, depending on the configuration) if the ROOT web
application is configured to use FORM authentication:

POST /j_security_check HTTP/1.1
Host: localhost

j_username=tomcat&j_password=%

Credit:
This issue was discovered by D. Matscheko and T. Hackner of SEC Consult.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoo/a0ACgkQb7IeiTPGAkOwBgCgg32bOh5/3FWwmg+qnazFuJLy
UGAAnjGl3psau6THn7UDBjpHfSG8LZ4a
=SIJ6
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0783: Apache Tomcat information disclosure vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Bugs https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 allowed a web
application to replace the XML parser used by Tomcat to process web.xml,
context.xml and tld files. If a web application is the first web
application loaded, these bugs allow that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
 - apply these patches
   - http://svn.apache.org/viewvc?rev=739522&view=rev
   - http://svn.apache.org/viewvc?rev=652592&view=rev
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
 - apply these patches
   - http://svn.apache.org/viewvc?rev=781542&view=rev
   - http://svn.apache.org/viewvc?rev=681156&view=rev
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781708&view=rev

Example:
See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an
example web application that can be used to replace the XML parser used
by Tomcat.

Credit:
The security implications of these bugs was discovered and reported to
the Apache Software Foundation by Philippe Prados.


References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html

The Apache Tomcat Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkonw6EACgkQb7IeiTPGAkM8qACgyxH+hBK4r4DprZhIqd97x/V1
/7EAnRMaJsKIoPzBQgOtOhM3vOCtyL+F
=B+Gu
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0033: Apache Tomcat denial of service vulnerability

Severity: important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
connection. In case this connector is member of a mod_jk load balancing
worker, this member will be put into an error state and will be blocked
from use for approximately one minute. Thus the behaviour can be used
for a denial of service attack using a carefully crafted request.

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
 - apply this patch http://svn.apache.org/viewvc?rev=742915&view=rev
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781362&view=rev
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781362&view=rev

Example:
GET /servlets-examples/ HTTP/1.1
Host: localhost:x

Credit:
This issue was discovered by Yoshihito Fukuyama.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html

The Apache Tomcat Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkommc4ACgkQb7IeiTPGAkNJNACePbuHUz9m9P/lR/+hfhXh4TpL
V+EAnRjaiXwAkLJROzGDQebAqyNchEJt
=OHhB
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0580: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Due to insufficient error checking in some authentication classes,
Tomcat allows for the enumeration (brute force testing) of usernames by
supplying illegally URL encoded passwords. The attack is possible if
form based authenticiaton (j_security_check) with one of the following
authentication realms is used:
 * MemoryRealm
 * DataSourceRealm
 * JDBCRealm

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
 - apply this patch http://svn.apache.org/viewvc?rev=747840&view=rev
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781379&view=rev
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781382&view=rev

Example:
The following POST request should trigger an error (500 server error or
empty response, depending on the configuration) if the ROOT web
application is configured to use FORM authentication:

POST /j_security_check HTTP/1.1
Host: localhost

j_username=tomcat&j_password=%

Credit:
This issue was discovered by D. Matscheko and T. Hackner of SEC Consult.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkommckACgkQb7IeiTPGAkP75ACg7XYuld/25X2ltLLTeeQx88UB
pFgAn1f6mIpzU7QUnjF4lsHcR+6lY67B
=a0AC
-----END PGP SIGNATURE-----

All,

In response to popular demand, we have added an announce list to the
collection of Tomcat mailing lists. This list is open to anyone to
subscribe but only committers may post. It will be used to announce
releases, security vulnerabilities and other similar project announcements.

To subscribe, send a blank email to:
announce-subscribe@tomcat.apache.org

Further information is available from the Tomcat website:
http://tomcat.apache.org/lists.html

Enjoy!

The Apache Tomcat Team