SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Lets Malicious Applications Obtain Information and Deny Service
SecurityTracker Alert ID:  1025788
SecurityTracker URL:  http://securitytracker.com/id/1025788
CVE Reference:   CVE-2011-2526   (Links to External Site)
Date:  Jul 16 2011
Impact:   Denial of service via local system, Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  
Version(s): 5.5.0 to 5.0.33, 6.0.0 to 6.0.32, 7.0.0 to 7.0.18
Description:   A vulnerability was reported in Apache Tomcat. An application can obtain restricted files and cause denial of service conditions.

An untrusted web application can supply specially crafted attributes to sendfile to obtain ostensibly restricted files or cause the JVM to crash.

Systems where the SecurityManager is used to limit the untrusted web applications, where the HTTP NIO or HTTP APR connector is used, and where sendfile is enabled for the connector (the default configuration) are affected.

The Tomcat security team reported this vulnerability.

Impact:   An application can cause the JVM to crash.

An application can access restricted files on the target system.

Solution:   The vendor plans to issue a fix (5.5.34, 6.0.33, 7.0.19).

The vendor's advisory is available at:

http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html

Vendor URL:  tomcat.apache.org/security-7.html (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 5 2011 (Red Hat Issues Fix) Apache Tomcat Lets Malicious Applications Obtain Information and Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Jan 19 2012 (Red Hat Issues Fix for JBoss Enterprise Application Platform) Apache Tomcat Lets Malicious Applications Obtain Information and Deny Service
Red Hat has issued a fix for JBoss Enterprise Application Platform.



 Source Message Contents

Subject:  [SECURITY] CVE-2011-2526 Apache Tomcat Information disclosure and availability vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-2526: Apache Tomcat Information disclosure and availability
               vulnerabilities

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.18
Tomcat 6.0.0 to 6.0.32
Tomcat 5.5.0 to 5.0.33
Previous, unsupported versions may be affected
Additionally, these vulnerabilities only occur when all of the following
are true:
a) untrusted web applications are being used
b) the SecurityManager is used to limit the untrusted web applications
c) the HTTP NIO or HTTP APR connector is used
d) sendfile is enabled for the connector (this is the default)

Description:
Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
connectors. sendfile is used automatically for content served via the
DefaultServlet and deployed web applications may use it directly via
setting request attributes. These request attributes were not validated.
When running under a security manager, this lack of validation allowed a
malicious web application to do one or more of the following that would
normally be prevented by a security manager:
a) return files to users that the security manager should make inaccessible
b) terminate (via a crash) the JVM

Mitigation:
Affected users of all versions can mitigate these vulnerabilities by
taking any of the following actions:
a) undeploy untrusted web applications
b) switch to the HTTP BIO connector (which does not support sendfile)
c) disable sendfile be setting useSendfile="false" on the connector
d) apply the patch(es) listed on the Tomcat security pages (see references)
e) upgrade to a version where the vulnerabilities have been fixed
   Tomcat 7.0.x users may upgrade to 7.0.19 or later once released
   Tomcat 6.0.x users may upgrade to 6.0.33 or later once released
   Tomcat 5.5.x users may upgrade to 5.5.34 or later once released

Example:
Exposing the first 1000 bytes of /etc/passwd
HttpServletRequest.setAttribute(
        "org.apache.tomcat.sendfile.filename","/etc/passwd");
HttpServletRequest.setAttribute(
        "org.apache.tomcat.sendfile.start",Long.valueOf(0));
HttpServletRequest.setAttribute(
        "org.apache.tomcat.sendfile.end",Long.valueOf(1000));
Specifying a end point after the end of the file will trigger a JVM
crash with the HTTP APR connector and an infinite loop with the HTTP NIO
connector.

Credit:
These issues were identified by the Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

The Apache Tomcat Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOHbrCAAoJEBDAHFovYFnnUZsQANIh02dK4r0cYCwsD59Xvg0R
cCpx0MCzsrVBKU/fJ5nQtVTtZnOVfH2PnZBPFlYxQXpBCgIQh+ZIp9ntGdSNP0kH
e7XgHaG6NipfIPusnQyH8yYmcfRl4BDnQdHyrl1JqApDtqnzPJ4Re9SVQC5VymJP
i9DlvuV4atAdSCgOZzBb3+wMV0uoZqjXcUZrQEXCYBhtGFtOQM/JyMUa7iu5+FhI
AuUchlHw3N+nZ+b4QeXGdFowHMTlJoj0gv5eMCEMVfiaoM5COcaQYBRQxkbNhkfN
7zkcKKyDG2ARIJ7WB3Ncj7A4RfF2KY98q69px6RU2ho8umOycl32dw3wT1AtPWUx
3TkTgkN4FXDprCLp1r/csbYO15GSoI0selWzKxmOOuMIIamQ36HreUInZzXohuOJ
VSdR/LBekdfiLNkNtIwK7oeaZoYqPT14F15C+gkzw8a7ETzN6kyYwZz2+dnnWvxM
lV5WhEksulVfrfro6OBFI4k4KVyCq/QYRUH2WfyaRyUhRB8of6tnweB46upzzoAU
+YtyLPimURofJbcw4Ut4VBvjVJTdts3air32vCKxpfnjdn9Gd3GH3phjrsYzJHTl
fg3RcqrmV9I0gxLn5oWIMx17gOGpFOgSwMyGgm/WEJLyiEV5suSPFVjMFq3znj+7
zAlePYK10YSe5XiZ9g8F
=MeHU
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC