Bug 1140314 (CVE-2013-4444)

Summary: CVE-2013-4444 tomcat: remote code execution via uploaded JSP
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, akurtako, alee, aneelica, asantos, bdawidow, cdewolf, chazlett, dandread, darran.lofthouse, djorm, dknox, epp-bugs, felias, fnasser, gmurphy, gvarsami, hfnukal, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jbpapp-maint, jclere, jcoleman, jdg-bugs, jdoyle, jolee, jpallich, kconner, kkhan, krzysztof.daniel, ldimaggi, lgao, mweiler, myarboro, nwallace, pavelp, pcheung, pgier, pslavice, rhq-maint, rsvoboda, rwagner, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 7.0.40 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-15 07:27:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1140317    
Bug Blocks: 1140316    

Description Vincent Danen 2014-09-10 16:32:44 UTC 
As reported fixed in Apache Tomcat 7.0.40 [1]:

In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important.

For this attack to succeed all of the following requirements must be met:

1. Using Oracle Java 1.7.0 update 25 or earlier (or any other Java implementation where java.io.File is vulnerable to null byte injection).
2. A web application must be deployed to a vulnerable version of Tomcat.
3. The web application must use the Servlet 3.0 File Upload feature.
4. A file location within a deployed web application must be writeable by the user the Tomcat process is running as. The Tomcat security documentation recommends against this.
5. A custom listener for JMX connections (e.g. the JmxRemoteListener that is not enabled by default) must be configured and be able to load classes from Tomcat's common class loader (i.e. the custom JMX listener must be placed in Tomcat's lib directory).
6. The custom JMX listener must be bound to an address other than localhost for a remote attack (it is bound to localhost by default). If the custom JMX listener is bound to localhost, a local attack will still be possible.

Note that requirements 2 and 3 may be replaced with the following requirement:

7. A web application is deployed that uses Apache Commons File Upload 1.2.1 or earlier.

In this case (requirements 1, 4, 5, 6 and 7 met) a similar vulnerability may exist on any Servlet container, not just Apache Tomcat.

This was fixed in revision 1470437. [2] (April 22, 2013)

This issue was identified by Pierre Ernst of the VMware Security Engineering, Communications and Response group (vSECR) and reported to the Tomcat security team via the Pivotal security team on 5 September 2014. It was made public on 10 September 2014.

Affects: 7.0.0 to 7.0.39

[1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
[2] http://svn.apache.org/viewvc?view=revision&revision=1470437
Comment 1 Vincent Danen 2014-09-10 16:34:09 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1140317]
Comment 3 Arun Babu Neelicattu 2014-09-15 07:13:12 UTC 
Statement:

Not Vulnerable. This issue did not affect the versions of Tomcat and JBoss Web as shipped with any Red Hat product, as this flaw was handled by Red Hat as CVE-2013-2185. This flaw is to be considered a duplicate of CVE-2013-4444.
Comment 4 Arun Babu Neelicattu 2014-09-15 07:27:39 UTC 

*** This bug has been marked as a duplicate of bug 974813 ***