743055 – (CVE-2011-3375) VUL-1: CVE-2011-3375: tomcat: information disclosure due to improper response and request object recycling

Bug 743055 (CVE-2011-3375) - VUL-1: CVE-2011-3375: tomcat: information disclosure due to improper response and request object recycling

Summary: VUL-1: CVE-2011-3375: tomcat: information disclosure due to improper response...

Status:	RESOLVED FIXED

Alias:	CVE-2011-3375

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2012-01-24 09:23 UTC by Matthias Weckbecker
Modified:	2015-09-25 13:23 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Weckbecker 2012-01-24 09:23:57 UTC

CVE-2011-3375 Apache Tomcat Information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.21
- Tomcat 6.0.30 to 6.0.33
- Earlier versions are not affected

Description:
For performance reasons, information parsed from a request is often
cached in two places: the internal request object and the internal
processor object. These objects are not recycled at exactly the same time.
When certain errors occur that needed to be added to the access log, the
access logging process triggers the re-population of the request object
after it has been recycled. However, the request object was not recycled
before being used for the next request. That lead to information leakage
(e.g. remote IP address, HTTP headers) from the previous request to the
next request.
The issue was resolved be ensuring that the request and response objects
were recycled after being re-populated to generate the necessary access
log entries.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.22 or later
- Tomcat 6.0.x users should upgrade to 6.0.35 or later

Credit:
The issue was initially reported via Apache Tomcat's public issue
tracker with the potential security implications identified by the
Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=51872

Comment 1 Michal Vyskocil 2012-02-06 08:52:00 UTC

It's not clear if sle with backported performance proseccing code is not vulnerable as well, need to check

http://svn.apache.org/viewvc?view=revision&revision=1185998

Comment 2 Michal Vyskocil 2012-02-06 09:14:18 UTC

So tomcat6 in sle11 is not vulnerable, there is no adapter.log(request, response, 0) call after response.setStatus this patch removes even after all backporting.

Comment 3 Bernhard Wiedemann 2012-02-06 16:00:54 UTC

This is an autogenerated message for OBS integration:
This bug (743055) was mentioned in
https://build.opensuse.org/request/show/102913 11.4 / tomcat6

Comment 4 Bernhard Wiedemann 2012-02-09 09:00:23 UTC

This is an autogenerated message for OBS integration:
This bug (743055) was mentioned in
https://build.opensuse.org/request/show/103477 12.1 / tomcat6

Comment 5 Michal Vyskocil 2012-12-10 13:20:43 UTC

submitted,

see https://bugzilla.novell.com/show_bug.cgi?id=791426#c11

Comment 7 Matthias Weckbecker 2012-12-10 14:31:24 UTC

This bug isn't mentioned in the submission I think. Can you possibly x-check?

Comment 8 Michal Vyskocil 2012-12-11 08:59:42 UTC

(In reply to comment #7)
> This bug isn't mentioned in the submission I think. Can you possibly x-check?

Sorry, I should be more explicit - there are so many tomcat fixes in the queue.

So this was valid and fixed in openSUSE. The sle11 version is not vulnerable (see comment#2) as well as the tomcat-7.0.22 in 12.2, neither tomcat5 in sle-10. Not sure why I did not move it to security team before ...

Comment 9 Matthias Weckbecker 2012-12-11 09:10:39 UTC

Oops, I should have simply read properly. Sorry. :(

Comment 10 Thomas Biege 2013-03-07 08:05:02 UTC

CVE-2011-3375: CVSS v2 Base Score: 4.9 (moderate) (AV:N/AC:H/Au:N/C:P/I:P/A:N): Information Leak / Disclosure (CWE-200)