lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 09 Oct 2008 23:46:19 +0100
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>,
	Tomcat Developers List <dev@...cat.apache.org>,
	bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-3271: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.31
Tomcat 5.5.0
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.

Mitigation:
Upgrade to:
4.1.32 or later
5.5.1 or later
6.0.0 or later

Example:
This has only been reproduced using a debugger to force a particular
processing sequence across two threads.

    1. Set a breakpoint right after the place where a value
       is to be entered in the instance variable of regexp
       (search:org.apache.regexp.CharacterIterator).

    2. Send a request from the IP address* which is not permitted.
       (stopped at the breakpoint)

       *About the IP address which is not permitted.
       The character strings length of the IP address which is set
       in RemoteAddrValve must be same.

    3. Send a request from the IP address which was set in
       RemoteAddrValve.
       (stopped at the breakpoint)
       In this way, the instance variable is to be overwritten here.

    4. Resume the thread which is processing the step 2 above.

    5. The request from the not permitted IP address will succeed.

Credit:
This issue was discovered by Kenichi Tsukamoto (Development Dept. II,
Application Management Middleware Div., FUJITSU LIMITED) and reported to
the Tomcat security team via JPCERT.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt
OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj
=9Z/F
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists