tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <>
Subject Re: [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
Date Sat, 02 Mar 2002 06:10:45 GMT
Remy Maucherat wrote:
> > Remy Maucherat wrote:
> > >
> > > A security vulnerability affecting the sandboxing provided by the Java
> > > Security Manager has been discovered. The request dipatcher
> functionality of
> > > the Servlet API could be used by a malicious servlet or JSP page to get
> > > access to any resource located on the server's filesystem, bypassing the
> > > Security Manager protection.
> > >
> > > Note: People who are not using Tomcat with the Security Manager are not
> > > affected by this problem, and do not need to upgrade.
> > >
> >
> > This statement is misleading.  I reviewed the bug report and patch.
> > The security bug had nothing to do with the SecurityManager implementation
> > itself.  It was due to the file path not being normalized before getting
> > the RequestDispatcher for it.  Tomcat would be vulnerable to this
> regardless
> > of whether it was running with the SecurityManager or not.
> >
> > In fact if you were running Tomcat with the SecurityManager enabled and
> > a strict catalina.policy which restricted file access with FilePermissions
> > you would be less vulnerable than Tomcat running without the
> SecurityManager.
> >
> > Sorry this is a a few hours too late for the announcement.
> >
> > Perhaps a followup announcement could be made to correct this.
> I agree, but if you don't have the security manager, a malicious servlet
> could already use direct filesystem access to read any file on the server,
> which is a lot easier to use than this vulnerability. So the vulnerability
> doesn't make it more insecure (but it's still a spec compliance bug).

Thats true.  But the announcement is still misleading.  This really is more
of a spec compliance bug than a security bug.

> OTOH, if you have the security manager, you're supposed to be protected,
> regardless of whether or not there's a bug in the request dispatcher.

There is that old saying "You can lead a horse to water, but you can't
make it drink."  That applies in this case.  We don't require that Tomcat 4
be run with the SecurityManager, and even if you use the SecurityManager
your protection is only as good as the security policy you implement.
The default catalina.policy is not very restrictive.  My Tomcat configs
use a very strict policy, so my exposure to this bug was more limited.



Glenn Nielsen    | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message