SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat getResource() Lets Applications Obtain Certain Directory Listings
SecurityTracker Alert ID:  1035070
SecurityTracker URL:  http://securitytracker.com/id/1035070
CVE Reference:   CVE-2015-5174   (Links to External Site)
Date:  Feb 22 2016
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.0 to 6.0.44, 7.0.0 to 7.0.64, 8.0.0.RC1 to 8.0.26
Description:   A vulnerability was reported in Apache Tomcat. A remote user can view certain directory listings on the target system.

The getResource(), getResourceAsStream(), and getResourcePaths() ServletContext methods do not properly validate user-supplied path values containing '/..' directory traversal characters. An application can supply a specially crafted request to view a directory listing for the web application directory.

Impact:   An application can view a directory listing for the web application directory.
Solution:   The vendor has issued a fix (6.0.45, 7.0.65, 8.0.27).

The vendor's advisory is available at:

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.65
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.27

Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 5 2016 (HPE Issues Fix) Apache Tomcat getResource() Lets Applications Obtain Certain Directory Listings
HPE has issued a fix for HP-UX 11.31.
May 11 2016 (IBM Issues Fix for IBM Tivoli Directory Server) Apache Tomcat getResource() Lets Applications Obtain Certain Directory Listings
IBM has issued a fix for IBM Tivoli Directory Server.
Jun 1 2016 (HPE Issues Fix for OpenVMS) Apache Tomcat getResource() Lets Applications Obtain Certain Directory Listings
HPE has issued a fix for OpenVMS.
Jul 6 2016 (Ubuntu Issues Fix) Apache Tomcat getResource() Lets Applications Obtain Certain Directory Listings
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.10, and 16.04 LTS.
Aug 9 2016 (IBM Issues Fix for IBM Cognos TM1) Apache Tomcat getResource() Lets Applications Obtain Certain Directory Listings
IBM has issued a fix for IBM Cognos TM1.
Nov 4 2016 (Red Hat Issues Fix) Apache Tomcat getResource() Lets Applications Obtain Certain Directory Listings
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents

Subject:  [SECURITY] CVE-2015-5174 Apache Tomcat Limited Directory Traversal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2015-5174 Apache Tomcat Limited Directory Traversal

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.64
- - Apache Tomcat 8.0.0.RC1 to 8.0.26
- - Apache Tomcat 9 is not affected
- - Earlier, unsupported Tomcat versions may be affected

Description:
When accessing resources via the ServletContext methods getResource()
getResourceAsStream() and getResourcePaths() the paths should be limited
to the current web application. The validation was not correct and paths
of the form "/.." were not rejected. Note that paths starting with
"/../" were correctly rejected.
This bug allowed malicious web applications running under a security
manager to obtain a directory listing for the directory in which the web
application had been deployed. This should not be possible when running
under a security manager. Typically, the directory listing that would be
exposed would be for $CATALINA_BASE/webapps.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 8.0.27 or later
- - Upgrade to Apache Tomcat 7.0.65 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html








-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu+JAAoJEBDAHFovYFnnubgQAICDB8mbxG4KbSDT1YAcqjJd
lToWRjRKVd0UzIaOZFUmqV0Ap7o181xMfQpSfGZSAAukF7+zTcX33O+cklTkZaw/
yjprJSI942enkWlGygiJxIH8DUadGa62iTMyhXmpqLqkD5ura5sSNEdzir7aEnUw
P8vLdpmfbdUqNn9Qv1L27btm5+lU6OU+I8nBTB5ESyDxjhVrpc1d8GVcRaXh0mU4
56oeIAJg7O9ozXrIQa692K4pAV+VqZFb52Vwk3XiNENn0VjwM2W7PAqy+vtAfkLt
wt5SDVjoXuCW1jBTjTU+hmxzDziN0WzgVMgFsSVZg0lyU/H837e/bOOmNVA1dfGD
F6Ln40a1eYkZQ6eXK9SPmz36OnU/akM3+rcDEz9e9spvbe/c4oH5T3/yZwmsONSO
4G+9JyMCg/YKWl2+YIJSGGxO1khaLbXZvyvVwkpq0IzJZ/ZhTp7BQY+DYb4axVY3
QLBx6/XzoIRfLxf1lpvUakGw8P/0y2BPHRa+3b0WDJSElD4H6KAQd+q5vb1eyK6+
0bNPLYd9AyxYwaIuZMk2WtT+pQO0R3Ao6mVBNFk8K/YJj7msMsS4feI76I2LYLT0
WCLKWb/noO8oPmjYk6a7AZKncT9nASN+rCfbXedw6F+COxfVjuddbttsGza2oH7o
NKmM5mCdDfQztF3uOTnu
=aYIY
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC