SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
(Red Hat Issues Fix) Tomcat Single Quote Cookie Processing Bug Lets Remote Users Obtain Session Information
SecurityTracker Alert ID:  1018739
SecurityTracker URL:  http://securitytracker.com/id/1018739
CVE Reference:   CVE-2007-3382   (Links to External Site)
Date:  Sep 26 2007
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.3 to 3.3.2, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, 6.0.0 to 6.0.13
Description:   A vulnerability was reported in Tomcat. A remote user can obtain session information.

The software incorrectly interprets a single quote (') character in a cookie value as a delimiter. A remote user may be able to exploit this to hijack sessions.

A demonstration exploit URL is provided:

http://[target]:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKER&cookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B

Tomasz Kuczynski, Poznan Supercomputing and Networking Center and CERT/CC reported this vulnerability.

Impact:   A remote user can may be able to hijack sessions.
Solution:   Red Hat has released a fix.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2007-0871.html

Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  5

Message History:   This archive entry is a follow-up to the message listed below.
Aug 14 2007 Tomcat Single Quote Cookie Processing Bug Lets Remote Users Obtain Session Information



 Source Message Contents

Subject:  [RHSA-2007:0871-01] Moderate: tomcat security update


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: tomcat security update
Advisory ID:       RHSA-2007:0871-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0871.html
Issue date:        2007-09-26
Updated on:        2007-09-26
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 
- ---------------------------------------------------------------------

1. Summary:

Updated tomcat packages that fix several security issues are now available
for Red Hat Enterprise Linux 5. 

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

Tomcat is a servlet container for Java Servlet and Java Server Pages
technologies.

Tomcat was found treating single quote characters -- ' -- as delimiters in
cookies. This could allow remote attackers to obtain sensitive information,
such as session IDs, for session hijacking attacks (CVE-2007-3382).

It was reported Tomcat did not properly handle the following character
sequence in a cookie: \" (a backslash followed by a double-quote). It was
possible remote attackers could use this failure to obtain sensitive
information, such as session IDs, for session hijacking attacks
(CVE-2007-3385).

A cross-site scripting (XSS) vulnerability existed in the Host Manager
Servlet. This allowed remote attackers to inject arbitrary HTML and web
script via crafted requests (CVE-2007-3386).

Users of Tomcat should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

247972 - CVE-2007-3382 tomcat handling of cookies
247976 - CVE-2007-3385 tomcat handling of cookie values
247994 - CVE-2007-3386 tomcat host manager xss

6. RPMs required:

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm
4cd5017f99a44689fd97bfaddb4d1e49  tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm

i386:
c0dc6d1800b59c9bfc34a23b8d646af6  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.i386.rpm
226f3d1465041197fc02615be82163fb  tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.i386.rpm
deb113e7d216237760505d9780b73a76  tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.i386.rpm

x86_64:
23d7a2a5d67055d37f27bef5503fee7b  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
fe8527d96dc984611e17982a0dfce68b  tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
c831207357291c3dd091964e9aa49ebc  tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm
4cd5017f99a44689fd97bfaddb4d1e49  tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm

i386:
7d71ed89d94341f41b171293ad013d6b  tomcat5-5.5.23-0jpp.3.0.2.el5.i386.rpm
f0cfcd9ec14bf30223576796c3d86254  tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm
c8ab874847b19faec830f6d002ef5700  tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm
c0dc6d1800b59c9bfc34a23b8d646af6  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.i386.rpm
b128c5e933557b9e90aa7cb71ad86f72  tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.i386.rpm
7166ea7ab11411ba0d0adf715657ac89  tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm
34159a09da8641ba7d7a61335b9a3685  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm
ec84df22f55b68f172123dfb39680230  tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm
4d9285f3236fb71cc4f1595cdaceb2c0  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm
14685a050088e338be428d4b315bed15  tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm

x86_64:
9a0875239aee9d021c8d4a56b42bb2a6  tomcat5-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
11619162c8e0adc036756a7ac03ce559  tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
d95026b2750fff774772c44a57f74792  tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
23d7a2a5d67055d37f27bef5503fee7b  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
9d3ddc4acf0c2ab389488f735aadf345  tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
3f2f6100623f9acb18d990fc52d9aa82  tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
1b51651253a8fe556bba1ddc565147f0  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
86702ce51dbe4da513827d49758858d9  tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
1be1106c350b4f834c5959e144cbfdb5  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
9ce3022090cc5cc036bec3f2edf75f49  tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm
4cd5017f99a44689fd97bfaddb4d1e49  tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm

i386:
7d71ed89d94341f41b171293ad013d6b  tomcat5-5.5.23-0jpp.3.0.2.el5.i386.rpm
f0cfcd9ec14bf30223576796c3d86254  tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm
c8ab874847b19faec830f6d002ef5700  tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm
c0dc6d1800b59c9bfc34a23b8d646af6  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.i386.rpm
b128c5e933557b9e90aa7cb71ad86f72  tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.i386.rpm
7166ea7ab11411ba0d0adf715657ac89  tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm
226f3d1465041197fc02615be82163fb  tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.i386.rpm
34159a09da8641ba7d7a61335b9a3685  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm
ec84df22f55b68f172123dfb39680230  tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm
deb113e7d216237760505d9780b73a76  tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.i386.rpm
4d9285f3236fb71cc4f1595cdaceb2c0  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm
14685a050088e338be428d4b315bed15  tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm

ia64:
d1243dc5b592ce4c5058abba7d315345  tomcat5-5.5.23-0jpp.3.0.2.el5.ia64.rpm
a2cf1700b014cec10c29031a0bb543cf  tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.ia64.rpm
f7c35060c547b32906d0152513198f52  tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.ia64.rpm
924aa06a7a426e77c9376cecf05833d1  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.ia64.rpm
d3ebf74a70ed5e96600beca2cbc619d9  tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.ia64.rpm
678a8878ac383ec4b1d30f1e19623520  tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm
c15745c6040cf2c3f3f7ba9de185654d  tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.ia64.rpm
d9597bc0b803984b99ffefbdb631a9d0  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm
95526b81e80b1ed513e399279901bfc5  tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.ia64.rpm
e237eff013f4913f67709b0b27e90d6b  tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.ia64.rpm
9543decf3e658d3bbcdf22a9ed151f87  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm
5d19ef46e5fc9b59f382c63160dd3c59  tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.ia64.rpm

ppc:
d2113dd83880307a85683247a02eb3a0  tomcat5-5.5.23-0jpp.3.0.2.el5.ppc.rpm
1befc45ebca6fcebdde8ea58255592db  tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.ppc.rpm
661cb595807b4be529c5fee444f53f73  tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.ppc.rpm
6fdf9f17f925f504dfa76ac6a53a2b89  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.ppc.rpm
af2381512f812c196346fcfcedccc599  tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.ppc.rpm
0a5499eea93ae7230728764d6f5433c9  tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm
39d4dbd2ffcdafe5595c8fcba0d36c82  tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.ppc.rpm
916fb1dedfc9f27e67c722d872e019d8  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm
f0a5fe0ea04ff15df8e1488e2e337606  tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.ppc.rpm
6ebdac439d0d3f640ee6bae5eb7d0db0  tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.ppc.rpm
de8148bb55edd17fd09dda369b2b5621  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm
d4c08ad82261464da948463712f7362d  tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.ppc.rpm

s390x:
c594c99a882748d4c8a6a26542fb5214  tomcat5-5.5.23-0jpp.3.0.2.el5.s390x.rpm
3fc2ddbb8cfd1b570b85ec2bcbbd1684  tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.s390x.rpm
5c0178460eaade94169af229a57c6764  tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.s390x.rpm
bc8c2924826f432f1b39df050a775429  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.s390x.rpm
85590df0cf18b16e41309da3382bb5ff  tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.s390x.rpm
74a06cfefa4d31dc17d5d9f4fa71f345  tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm
2cbeb5dfc8464099c090434b8c5a8e0b  tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.s390x.rpm
fa035a0f0cd0b80a1e866c0e7c35899f  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm
8cb6883fa810bc4ad606724209f0bc15  tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.s390x.rpm
474dfcf43451a02d422506d8a12876a5  tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.s390x.rpm
fedb0523b1a126613ca04fce2674546c  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm
e9402bc61b20745f61ffed678af844f5  tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.s390x.rpm

x86_64:
9a0875239aee9d021c8d4a56b42bb2a6  tomcat5-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
11619162c8e0adc036756a7ac03ce559  tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
d95026b2750fff774772c44a57f74792  tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
23d7a2a5d67055d37f27bef5503fee7b  tomcat5-debuginfo-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
9d3ddc4acf0c2ab389488f735aadf345  tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
3f2f6100623f9acb18d990fc52d9aa82  tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
fe8527d96dc984611e17982a0dfce68b  tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
1b51651253a8fe556bba1ddc565147f0  tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
86702ce51dbe4da513827d49758858d9  tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
c831207357291c3dd091964e9aa49ebc  tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
1be1106c350b4f834c5959e144cbfdb5  tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm
9ce3022090cc5cc036bec3f2edf75f49  tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386
http://tomcat.apache.org/security-5.html
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFG+hmLXlSAg2UNWIIRAor1AKC2IOh5rvEQhEeMqlT224k06MdbFwCbBQFf
kpfI6XAq4LI+Y1vN2vURuoQ=
=RqY/
-----END PGP SIGNATURE-----



-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC