Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6196C6C20 for ; Wed, 13 Jul 2011 16:15:23 +0000 (UTC) Received: (qmail 50083 invoked by uid 500); 13 Jul 2011 16:15:22 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 49883 invoked by uid 500); 13 Jul 2011 16:15:21 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 49867 invoked by uid 99); 13 Jul 2011 16:15:21 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jul 2011 16:15:21 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [76.96.30.80] (HELO qmta08.emeryville.ca.mail.comcast.net) (76.96.30.80) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jul 2011 16:15:14 +0000 Received: from omta05.emeryville.ca.mail.comcast.net ([76.96.30.43]) by qmta08.emeryville.ca.mail.comcast.net with comcast id 7U7C1h00A0vp7WLA8UEqbD; Wed, 13 Jul 2011 16:14:50 +0000 Received: from [192.168.1.201] ([69.143.109.145]) by omta05.emeryville.ca.mail.comcast.net with comcast id 7UEs1h00R38FjT18RUEt0D; Wed, 13 Jul 2011 16:14:54 +0000 Message-ID: <4E1DC47B.6000800@christopherschultz.net> Date: Wed, 13 Jul 2011 12:14:51 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Tomcat Developers List CC: Tomcat Users List Subject: Re: [SECURITY] CVE-2011-2526 Apache Tomcat Information disclosure and availability vulnerabilities References: <4E1DBAC2.30603@apache.org> In-Reply-To: <4E1DBAC2.30603@apache.org> X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, Great catch to all who were involved in discovery and mitigation of this vulnerability. Since the APR flavor of this vulnerability uses native code to crash the JVM and/or read files without asking the SecurityManager for permission, does that mean that the APR SSL configuration could be similarly attacked by specifying certificate file, etc. paths that shouldn't be allowed by the SecurityManager? I don't think there's a disclosure here (specifying /etc/passwd for a certificate file doesn't dump /etc/passwd) but there might be opportunities for a JVM crash. - -chris On 7/13/2011 11:33 AM, Mark Thomas wrote: > CVE-2011-2526: Apache Tomcat Information disclosure and availability > vulnerabilities > > Severity: low > > Vendor: The Apache Software Foundation > > Versions Affected: Tomcat 7.0.0 to 7.0.18 Tomcat 6.0.0 to 6.0.32 > Tomcat 5.5.0 to 5.0.33 Previous, unsupported versions may be > affected Additionally, these vulnerabilities only occur when all of > the following are true: a) untrusted web applications are being used > b) the SecurityManager is used to limit the untrusted web > applications c) the HTTP NIO or HTTP APR connector is used d) > sendfile is enabled for the connector (this is the default) > > Description: Tomcat provides support for sendfile with the HTTP NIO > and HTTP APR connectors. sendfile is used automatically for content > served via the DefaultServlet and deployed web applications may use > it directly via setting request attributes. These request attributes > were not validated. When running under a security manager, this lack > of validation allowed a malicious web application to do one or more > of the following that would normally be prevented by a security > manager: a) return files to users that the security manager should > make inaccessible b) terminate (via a crash) the JVM > > Mitigation: Affected users of all versions can mitigate these > vulnerabilities by taking any of the following actions: a) undeploy > untrusted web applications b) switch to the HTTP BIO connector (which > does not support sendfile) c) disable sendfile be setting > useSendfile="false" on the connector d) apply the patch(es) listed on > the Tomcat security pages (see references) e) upgrade to a version > where the vulnerabilities have been fixed Tomcat 7.0.x users may > upgrade to 7.0.19 or later once released Tomcat 6.0.x users may > upgrade to 6.0.33 or later once released Tomcat 5.5.x users may > upgrade to 5.5.34 or later once released > > Example: Exposing the first 1000 bytes of /etc/passwd > HttpServletRequest.setAttribute( > "org.apache.tomcat.sendfile.filename","/etc/passwd"); > HttpServletRequest.setAttribute( > "org.apache.tomcat.sendfile.start",Long.valueOf(0)); > HttpServletRequest.setAttribute( > "org.apache.tomcat.sendfile.end",Long.valueOf(1000)); Specifying a > end point after the end of the file will trigger a JVM crash with the > HTTP APR connector and an infinite loop with the HTTP NIO connector. > > Credit: These issues were identified by the Tomcat security team. > > References: http://tomcat.apache.org/security.html > http://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-6.html > http://tomcat.apache.org/security-5.html > > The Apache Tomcat Security Team > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4dxHoACgkQ9CaO5/Lv0PDykgCeNvC61SVMsawzVre/6ZxvR/+2 tvoAnRyoZQd14OJSo7+ExfWKSMnBTRex =jpLx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org