| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110831102251.GB9878@foo.fgeek.fi> Date: Wed, 31 Aug 2011 13:22:51 +0300 From: Henri Salo <henri@...v.fi> To: Mark Thomas <markt@...che.org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure On Mon, Aug 29, 2011 at 08:52:00PM +0100, Mark Thomas wrote: > CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > - Tomcat 7.0.0 to 7.0.20 > - Tomcat 6.0.0 to 6.0.33 > - Tomcat 5.5.0 to 5.5.33 > - Earlier, unsupported versions may also be affected > > Description: > Apache Tomcat supports the AJP protocol which is used with reverse > proxies to pass requests and associated data about the request from the > reverse proxy to Tomcat. The AJP protocol is designed so that when a > request includes a request body, an unsolicited AJP message is sent to > Tomcat that includes the first part (or possibly all) of the request > body. In certain circumstances, Tomcat did not process this message as a > request body but as a new request. This permitted an attacker to have > full control over the AJP message which allowed an attacker to (amongst > other things): > - insert the name of an authenticated user > - insert any client IP address (potentially bypassing any client IP > address filtering) > - trigger the mixing of responses between users > > The following AJP connector implementations are not affected: > org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default) > > The following AJP connector implementations are affected: > > org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default) > org.apache.coyote.ajp.AjpNioProtocol (7.0.x) > org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x) > > Further, this issue only applies if all of the following are are true > for at least one resource: > - POST requests are accepted > - The request body is not processed > > > Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 > > Mitigation: > Users of affected versions should apply one of the following mitigations: > - Upgrade to a version of Apache Tomcat that includes a fix for this > issue when available > - Apply the appropriate patch > - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev > - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev > - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev > - Configure the reverse proxy and Tomcat's AJP connector(s) to use the > requiredSecret attribute > - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not > available for Tomcat 7.0.x) > > Credit: > The issue was reported via Apache Tomcat's public issue tracker. > The Apache Tomcat security team strongly discourages reporting of > undisclosed vulnerabilities via public channels. All Apache Tomcat > security vulnerabilities should be reported to the private security team > mailing list: security@...cat.apache.org > > References: > http://tomcat.apache.org/security.html > http://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-6.html > http://tomcat.apache.org/security-5.html > https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 Do you have any information when the supported security release is going to be announced? Patching production using diff from SVN is not usually very nice :) Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists