On Wed, Aug 31, 2011 at 01:22:51PM +0300, Henri Salo wrote: > On Mon, Aug 29, 2011 at 08:52:00PM +0100, Mark Thomas wrote: > > CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure > > > > Severity: Important > > > > Vendor: The Apache Software Foundation > > > > Versions Affected: > > - Tomcat 7.0.0 to 7.0.20 > > - Tomcat 6.0.0 to 6.0.33 > > - Tomcat 5.5.0 to 5.5.33 > > - Earlier, unsupported versions may also be affected > > > > Description: > > Apache Tomcat supports the AJP protocol which is used with reverse > > proxies to pass requests and associated data about the request from the > > reverse proxy to Tomcat. The AJP protocol is designed so that when a > > request includes a request body, an unsolicited AJP message is sent to > > Tomcat that includes the first part (or possibly all) of the request > > body. In certain circumstances, Tomcat did not process this message as a > > request body but as a new request. This permitted an attacker to have > > full control over the AJP message which allowed an attacker to (amongst > > other things): > > - insert the name of an authenticated user > > - insert any client IP address (potentially bypassing any client IP > > address filtering) > > - trigger the mixing of responses between users > > > > The following AJP connector implementations are not affected: > > org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default) > > > > The following AJP connector implementations are affected: > > > > org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default) > > org.apache.coyote.ajp.AjpNioProtocol (7.0.x) > > org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x) > > > > Further, this issue only applies if all of the following are are true > > for at least one resource: > > - POST requests are accepted > > - The request body is not processed > > > > > > Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 > > > > Mitigation: > > Users of affected versions should apply one of the following mitigations: > > - Upgrade to a version of Apache Tomcat that includes a fix for this > > issue when available > > - Apply the appropriate patch > > - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev > > - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev > > - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev > > - Configure the reverse proxy and Tomcat's AJP connector(s) to use the > > requiredSecret attribute > > - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not > > available for Tomcat 7.0.x) > > > > Credit: > > The issue was reported via Apache Tomcat's public issue tracker. > > The Apache Tomcat security team strongly discourages reporting of > > undisclosed vulnerabilities via public channels. All Apache Tomcat > > security vulnerabilities should be reported to the private security team > > mailing list: [email protected] > > > > References: > > http://tomcat.apache.org/security.html > > http://tomcat.apache.org/security-7.html > > http://tomcat.apache.org/security-6.html > > http://tomcat.apache.org/security-5.html > > https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 > > Do you have any information when the supported security release is going to > be announced? Patching production using diff from SVN is not usually very > nice :) > > Best regards, > Henri Salo
Version 7.0.21 is available: http://tomcat.apache.org/security-7.html http://tomcat.apache.org/download-70.cgi Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
