SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
SecurityTracker Alert ID:  1035071
SecurityTracker URL:  http://securitytracker.com/id/1035071
CVE Reference:   CVE-2015-5345   (Links to External Site)
Date:  Feb 22 2016
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.0 to 6.0.44, 7.0.0 to 7.0.66, 8.0.0.RC1 to 8.0.29, 9.0.0.M1
Description:   A vulnerability was reported in Apache Tomcat. A remote user can determine valid directories on the target system.

A remote user can supply a specially crafted URL without a trailing slash for a directory protected by a security constraint to cause Tomcat to redirect the URL, indicating that the directory exists.

Mark Koek of QCSec reported this vulnerability.

Impact:   A remote user can determine valid directories on the target system.
Solution:   The vendor has issued a fix (6.0.45, 7.0.65, 8.0.30, 9.0.0.M3).

The vendor's advisory is available at:

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.65
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.30
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M3

Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 5 2016 (HPE Issues Fix) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
HPE has issued a fix for HP-UX 11.31.
May 19 2016 (Red Hat Issues Fix for JBoss) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
Red Hat has issued a fix for JBoss Web Server for Red Hat Enterprise Linux 6 and 7.
Jun 1 2016 (HPE Issues Fix for OpenVMS) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
HPE has issued a fix for OpenVMS.
Jul 6 2016 (Ubuntu Issues Fix) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.10, and 16.04 LTS.
Jul 6 2016 (IBM Issues Fix for IBM Cognos Metric Manager) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
IBM has issued a fix for IBM Cognos Metric Manager.
Jul 8 2016 (IBM Issues Fix for IBM Storwize V7000 Unified) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
IBM has issued a fix for IBM Storwize V7000 Unified.
Aug 9 2016 (IBM Issues Fix for IBM Cognos TM1) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
IBM has issued a fix for IBM Cognos TM1.
Nov 4 2016 (Red Hat Issues Fix) Apache Tomcat Flaw Lets Remote Users Determine Valid Directories
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents

Subject:  [SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2015-5345 Apache Tomcat Directory disclosure

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.66
- - Apache Tomcat 8.0.0.RC1 to 8.0.29
- - Apache Tomcat 9.0.0.M1
- - Earlier, unsupported Tomcat versions may be affected

Description:
When accessing a directory protected by a security constraint with a URL
that did not end in a slash, Tomcat would redirect to the URL with the
trailing slash thereby confirming the presence of the directory before
processing the security constraint. It was therefore possible for a user
to determine if a directory existed or not, even if the user was not
permitted to view the directory. The issue also occurred at the root of
a web application in which case the presence of the web application was
confirmed, even if a user did not have access.

The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were
processed before the redirect. The Tomcat team recognised that moving
the redirect could cause regressions to two new Context configuration
options (mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The initial default was
false for both since this was more secure. However, due to regressions
such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled
was later changed to true since it was viewed that the regression was
more serious than the security risk of associated with being able to
determine if a web application was deployed at a given path.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by Mark Koek of QCSec.

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html
[5] http://tomcat.apache.org/security-6.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO
A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB
Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN
DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj
Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw
gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8
kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO
zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik
t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ
WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj
Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e
HnSzWGDdd63z0ixY0g2I
=6UrH
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC