Needs to update:
 - tomcat6 in 11.0 and 11.1
 - tomcat55 in 10.3
 - tomcat5 in SLE10-SP3

Needs to investigate tomcat5 in SLE10-SP2 and SLES9.

Tomcat 5.0.30 in SLE10-SP2 have to be fixed too. Backported patches (also for CVE-2009-0033) from tc5.x trunk.

   Description From  Thomas Biege   2009-06-04 02:42:32 MDT   (-) [reply]     Private

Hi.
There is a security bug in 'tomcat6'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
    https://bugzilla.redhat.com/show_bug.cgi?id=493381

CVE number: CVE-2009-0033
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033


Original posting:


https://bugzilla.redhat.com/show_bug.cgi?id=493381

CVE-2009-0033

Comment #2 From  Marc Schoenefeld  2009-06-03 12:05:12 EDT   
If Tomcat receives a request with invalid headers via the Java AJP connector,
it does not return an error and instead closes the AJP connection. In case this
connector is member of a mod_jk load balancing worker, this member will be put
into an error state and will be blocked from use for approximately one minute.
Thus the behaviour can be used for a denial of service attack using a carefully
crafted request.

So there are two new CVEs in tomcat5 [1] and tomcat6 [2].

Important: Information Disclosure   CVE-2009-5515

When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

low: Information disclosure   CVE-2009-0783

Bugs 29936 and 45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files. In limited circumstances these bugs may allow a rogue web application to view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance.

I'm working on fix.

BTW: As I understood, we don't fix the security issues in tomcat examples, so CVE-2009-0781 will be not fixed.

[1] http://tomcat.apache.org/security-5.html
[2] http://tomcat.apache.org/security-6.html

(In reply to comment #8)
[..]
> BTW: As I understood, we don't fix the security issues in tomcat examples, so
> CVE-2009-0781 will be not fixed.

Ok!

(In reply to comment #9)
> (In reply to comment #8)
> [..]
> > BTW: As I understood, we don't fix the security issues in tomcat examples, so
> > CVE-2009-0781 will be not fixed.
> 
> Ok!

Ah, wait.
Only if this vulnerable example is not accessible remotely after the installation of our tomcat package.

The affected cal2.jsp is packaged in separate optional package (jakarta-tomcat-examples in sles9 and tomcatXX-webapps in other releases). So this would be remotely accessible, only if admin installed those examples on a server. And those examples package is not necessary for run or configuration of tomcat (there's a admin-webapps package with web administration tools).

Let us fix the examples.

It is very common that installed examples (for testing the setup etc.) will not be deleted and will be forgotten as soon as the production system runs. Example code like this is always a good entry point for attackers. We had this issue with CGI example scripts in the past already.

Thanks!

JFI: The proper fix for CVE-2009-5515 for tomcat6 is 739532 [1], the one on security page comes from tomcat/trunk, but tomcat6 is maintained in tomcat/tc6.0.x/

[1] http://svn.apache.org/viewvc?view=rev&revision=739532

low: Cross-site scripting   CVE-2009-0781

The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective.

Submitted fixed packages:

jakarta-tomcat sles9
tomcat5 sle10-sp2
tomcat5 sle10-sp3
tomcat55 10.3

+ fix for bug#496371
 
tomcat6 11.0**, 11.1 and sle11

+ fixed bnc#485933: cumulative fix for tomcat6:
    * bnc#418664 - added /etc/ant.d/catalina-ant
    * bnc#424675 - link $CATALINA_BASE/conf/Catalina ->
                       /var/cache/tomcat6/Catalina/
    * bnc#433852 - rctomcat symlink
    * bnc#446598 - changed a comment in tomcat6.conf about reading of sysconfig

** + fix for bug#484760 (fixed bug in CVE-2008-2370 patch)

(In reply to comment #13)
> JFI: The proper fix for CVE-2009-5515 for tomcat6 is 739532 [1], the one on
> security page comes from tomcat/trunk, but tomcat6 is maintained in
> tomcat/tc6.0.x/
> 
> [1] http://svn.apache.org/viewvc?view=rev&revision=739532

Was it really CVE-200_9_-5515 or CVE-200_8_-5515... I think it is a CVE-ID from 2009 and the patch from tomcat's SVN has a typo.

The SWAMPID for this issue is 25234.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/25234)

(In reply to comment #16)
> (In reply to comment #13)
> > JFI: The proper fix for CVE-2009-5515 for tomcat6 is 739532 [1], the one on
> > security page comes from tomcat/trunk, but tomcat6 is maintained in
> > tomcat/tc6.0.x/
> > 
> > [1] http://svn.apache.org/viewvc?view=rev&revision=739532
> 
> Was it really CVE-200_9_-5515 or CVE-200_8_-5515...

Sorry, there's not CVE-2009-5515, it was a CVE-2008-5515. Have I resubmit all tomcat packages?

> I think it is a CVE-ID from
> 2009 and the patch from tomcat's SVN has a typo.

There's no CVE-2009-5515 yet and the description of 2008-5515 matches, so that was my fault.

(In reply to comment #18)
> (In reply to comment #16)
> > (In reply to comment #13)
[..]
> > Was it really CVE-200_9_-5515 or CVE-200_8_-5515...
> 
> Sorry, there's not CVE-2009-5515, it was a CVE-2008-5515. Have I resubmit all
> tomcat packages?

To avoid confusion it would be better to resubmit the packages.

Packages was resubmitted.

Hi. It seems that the original fix for CVE-2008-5515 was bad - see bug#514570. The new patch is available [1]. The packages needs to be resubmitted.

http://svn.apache.org/viewvc?view=rev&revision=783291

Ok!

This affects all submitted packages I assume, right?

just tomcat5 packages

The [1] tomcat6 security page does not refers to another patch for CVE-2008-5515, just tomcat5 [2]

[1] http://tomcat.apache.org/security-6.html
[2] http://tomcat.apache.org/security-5.html

Anyway I'm working on it.

tomcat5 packages rejected, let me know when you are done.

Fixed jakarta-tomcat5 in sles9, tomcat5 in sle10-sp2, tomcat5 in sle10-sp3 (was checked-in) and tomcat55 for 10.3 was submitted.

tomcat6 don't need to be fixed.

Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
openSUSE 11.0 (i386)
openSUSE 11.1 (i586)

Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)

New problem in tomcat5 (sles9 and sles10-sp2 - sp3 uses different version) - see bug#516162. The fixed patches for CVE-2009-0783 was created and needs to be tested.

sles10-sp2 version with fixed CVE-2009-0783 was successfully tested - see bug#516162#c17

The fixed sles9 version was submitted to /work/src/done/SLES9-SP4/jakarta-tomcat (including a fix of bug in rctomcat found by QA).

Update released for: tomcat55, tomcat55-admin-webapps, tomcat55-common-lib, tomcat55-jasper, tomcat55-jasper-javadoc, tomcat55-jsp-2_0-api, tomcat55-jsp-2_0-api-javadoc, tomcat55-server-lib, tomcat55-servlet-2_4-api, tomcat55-servlet-2_4-api-javadoc, tomcat55-webapps
Products:
openSUSE 10.3 (i386)

Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)

Update released for: apache-jakarta-tomcat-connectors, apache2-jakarta-tomcat-connectors, jakarta-tomcat, jakarta-tomcat-doc, jakarta-tomcat-examples
Products:
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)

all released