Bug 967965 (CVE-2015-5345) - VUL-0: CVE-2015-5345: tomcat6, tomcat: directory disclosure
Summary: VUL-0: CVE-2015-5345: tomcat6, tomcat: directory disclosure
Status: RESOLVED FIXED
Alias: CVE-2015-5345
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/162124/
Whiteboard: CVSSv2:RedHat:CVE-2015-5345:5.0:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-24 08:12 UTC by Alexander Bergmann
Modified: 2018-08-23 16:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-02-24 08:12:10 UTC 
http://seclists.org/bugtraq/2016/Feb/146

CVE-2015-5345 Apache Tomcat Directory disclosure

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.66
- - Apache Tomcat 8.0.0.RC1 to 8.0.29
- - Apache Tomcat 9.0.0.M1
- - Earlier, unsupported Tomcat versions may be affected

Description:
When accessing a directory protected by a security constraint with a URL
that did not end in a slash, Tomcat would redirect to the URL with the
trailing slash thereby confirming the presence of the directory before
processing the security constraint. It was therefore possible for a user
to determine if a directory existed or not, even if the user was not
permitted to view the directory. The issue also occurred at the root of
a web application in which case the presence of the web application was
confirmed, even if a user did not have access.

The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were
processed before the redirect. The Tomcat team recognised that moving
the redirect could cause regressions to two new Context configuration
options (mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The initial default was
false for both since this was more secure. However, due to regressions
such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled
was later changed to true since it was viewed that the regression was
more serious than the security risk of associated with being able to
determine if a web application was deployed at a given path.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by Mark Koek of QCSec.

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html
[5] http://tomcat.apache.org/security-6.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1311089
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5345.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345
Comment 1 Swamp Workflow Management 2016-02-24 23:00:25 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-03-15 14:13:34 UTC 
SUSE-SU-2016:0769-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    tomcat-8.0.32-3.1
Comment 3 Swamp Workflow Management 2016-03-18 18:14:29 UTC 
SUSE-SU-2016:0822-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
SUSE Linux Enterprise Server 12 (src):    tomcat-7.0.68-7.6.1
Comment 4 Swamp Workflow Management 2016-03-21 13:15:03 UTC 
SUSE-SU-2016:0839-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 934219,967815,967964,967965,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2016-0706,CVE-2016-0714
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    tomcat6-6.0.45-0.50.1
Comment 5 Swamp Workflow Management 2016-03-23 17:10:49 UTC 
openSUSE-SU-2016:0865-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
openSUSE Leap 42.1 (src):    tomcat-8.0.32-5.1
Comment 6 Matei Albu 2016-11-02 12:45:55 UTC 
Tomcat was patched. This can be closed.
Comment 7 Marcus Meissner 2017-07-03 13:20:33 UTC 
released