lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20110907152746.GA25304@foo.fgeek.fi>
Date: Wed, 7 Sep 2011 18:27:46 +0300
From: Henri Salo <henri@...v.fi>
To: Mark Thomas <markt@...che.org>, full-disclosure@...ts.grok.org.uk
Subject: Re: [SECURITY] CVE-2011-3190 Apache Tomcat
 Authentication bypass and information disclosure

On Wed, Aug 31, 2011 at 01:22:51PM +0300, Henri Salo wrote:
> On Mon, Aug 29, 2011 at 08:52:00PM +0100, Mark Thomas wrote:
> > CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
> > 
> > Severity: Important
> > 
> > Vendor: The Apache Software Foundation
> > 
> > Versions Affected:
> > - Tomcat 7.0.0 to 7.0.20
> > - Tomcat 6.0.0 to 6.0.33
> > - Tomcat 5.5.0 to 5.5.33
> > - Earlier, unsupported versions may also be affected
> > 
> > Description:
> > Apache Tomcat supports the AJP protocol which is used with reverse
> > proxies to pass requests and associated data about the request from the
> > reverse proxy to Tomcat. The AJP protocol is designed so that when a
> > request includes a request body, an unsolicited AJP message is sent to
> > Tomcat that includes the first part (or possibly all) of the request
> > body. In certain circumstances, Tomcat did not process this message as a
> > request body but as a new request. This permitted an attacker to have
> > full control over the AJP message which allowed an attacker to (amongst
> > other things):
> > - insert the name of an authenticated user
> > - insert any client IP address (potentially bypassing any client IP
> > address filtering)
> > - trigger the mixing of responses between users
> > 
> > The following AJP connector implementations are not affected:
> > org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)
> > 
> > The following AJP connector implementations are affected:
> > 
> > org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
> > org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
> > org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)
> > 
> > Further, this issue only applies if all of the following are are true
> > for at least one resource:
> > - POST requests are accepted
> > - The request body is not processed
> > 
> > 
> > Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> > 
> > Mitigation:
> > Users of affected versions should apply one of the following mitigations:
> > - Upgrade to a version of Apache Tomcat that includes a fix for this
> > issue when available
> > - Apply the appropriate patch
> >   - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
> >   - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
> >   - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
> > - Configure the reverse proxy and Tomcat's AJP connector(s) to use the
> > requiredSecret attribute
> > - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
> > available for Tomcat 7.0.x)
> > 
> > Credit:
> > The issue was reported via Apache Tomcat's public issue tracker.
> > The Apache Tomcat security team strongly discourages reporting of
> > undisclosed vulnerabilities via public channels. All Apache Tomcat
> > security vulnerabilities should be reported to the private security team
> > mailing list: security@...cat.apache.org
> > 
> > References:
> > http://tomcat.apache.org/security.html
> > http://tomcat.apache.org/security-7.html
> > http://tomcat.apache.org/security-6.html
> > http://tomcat.apache.org/security-5.html
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> 
> Do you have any information when the supported security release is going to be announced? Patching production using diff from SVN is not usually very nice :)
> 
> Best regards,
> Henri Salo

Version 7.0.21 is available:

http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/download-70.cgi

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ