Bugzilla – Bug 896047
VUL-0: CVE-2013-4444: tomcat: possible remote code execution
Last modified: 2021-11-05 13:07:46 UTC
via full-disclosure CVE-2013-4444 From: Mark Thomas <markt@apache.org> Date: Wed, 10 Sep 2014 15:00:24 +0100 Subject: [FD] [SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat CVE-2013-4444 Remote Code Execution Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.39 Description: In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important. For this attack to succeed all of the following requirements must be met: a) Using Oracle Java 1.7.0 update 25 or earlier (or any other Java implementation where java.io.File is vulnerable to null byte injection). b) A web application must be deployed to a vulnerable version of Tomcat (see previous section). c) The web application must use the Servlet 3.0 File Upload feature. d) A file location within a deployed web application must be writeable by the user the Tomcat process is running as. The Tomcat security documentation recommends against this. e) A custom listener for JMX connections (e.g. the JmxRemoteListener that is not enabled by default) must be configured and be able to load classes from Tomcat's common class loader (i.e. the custom JMX listener must be placed in Tomcat's lib directory) f) The custom JMX listener must be bound to an address other than localhost for a remote attack (it is bound to localhost by default). If the custom JMX listener is bound to localhost, a local attack will still be possible. Note that requirements b) and c) may be replaced with the following requirement: g) A web application is deployed that uses Apache Commons File Upload 1.2.1 or earlier. In this case a similar vulnerability may exist on any Servlet container, not just Apache Tomcat. Mitigation: This vulnerability may be mitigated by using any one of the following mitigations: - - Upgrade to Oracle Java 1.7.0 update 40 or later (or any other Java implementation where java.io.File is not vulnerable to null byte injection). - - Use OS file permissions to prevent the process Tomcat is running as from writing to any location within a deployed application. - - Disable any custom JMX listeners - - Upgrade to Apache Tomcat 7.0.40 or later Credit: This issue was identified by Pierre Ernst of the VMware Security Engineering, Communications & Response group (vSECR) and reported to the Tomcat security team via the Pivotal security team. References: [1] http://tomcat.apache.org/security-7.html
SUSE:SLE-12:GA tomcat 7.0.55 - not affected openSUSE 12.3 has 7.0.35 - affected openSUSE 13.1 has 7.0.42 - not affected so we need a opensUSE 12.3 update I think
(its an old issue, not sure why they reported it now)
bugbot adjusting priority
Can we close this now?
I just opened it, because openSUSE 12.3 is not fixed.
Can we just update 12.3 to 7.0.35?
it is a version 7.0.35 currently we can update to a new version, which should be same or lower than 13.1 or we can update both 12.3 and 13.1 to 7.0.55 (current stable).
weird enough , we got this: (this would be bug 838671 ) From: Arun Babu Neelicattu <abn@redhat.com> Subject: [oss-security] Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185 Date: Wed, 17 Sep 2014 00:10:16 -0400 (EDT) Recently Apache Tomcat issued an advisory [1] for CVE-2013-4444 [2]. However, this flaw was reported to the Apache Tomcat Security team last year. We were instructed that Apache Tomcat team did not consider this a vulnerability. Red Hat Product Security handled this issue as CVE-2013-2185 [3] in our affected products. We request that CVE-2013-4444 be marked as a duplicate of CVE-2013-2185. -arun [1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4444 [3] https://bugzilla.redhat.com/CVE-2013-2185
https://build.opensuse.org/request/show/249907
i merged this manually now, as 13.1/tomcat had lots of perhaps changes not working for 12.3
(In reply to Marcus Meissner from comment #11) > i merged this manually now, as 13.1/tomcat had lots of perhaps changes not > working for 12.3 Thanks. Can be closed then?
yes
openSUSE-RU-2014:1264-1: An update that fixes one vulnerability is now available. Category: recommended (moderate) Bug References: 896047 CVE References: CVE-2013-4444 Sources used: openSUSE 12.3 (src): tomcat-7.0.42-2.43.1