Bug 1265698 (CVE-2015-5174)

Summary: CVE-2015-5174 tomcat: URL Normalization issue
Product: [Other] Security Response Reporter: Timothy Walsh <twalsh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aogburn, csutherl, jclere, jdoyle, lgao, mbabacek, myarboro, pslavice, rsvoboda, security-response-team, twalsh, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 6.0.45, tomcat 7.0.65, tomcat 8.0.27 Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:43:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1265704, 1273410, 1311095, 1311102, 1315982, 1315983, 1347128, 1347129, 1351915, 1367051, 1367052    
Bug Blocks: 1265668, 1311109    

Description Timothy Walsh 2015-09-23 13:47:58 UTC
URL Normalisation issue

A directory traversal vulnerability exists in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 that allows a remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Comment 7 Andrej Nemec 2016-02-23 11:52:07 UTC
When accessing resources via the ServletContext methods getResource()
getResourceAsStream() and getResourcePaths() the paths should be limited
to the current web application. The validation was not correct and paths
of the form "/.." were not rejected. Note that paths starting with
"/../" were correctly rejected.
This bug allowed malicious web applications running under a security
manager to obtain a directory listing for the directory in which the web
application had been deployed. This should not be possible when running
under a security manager. Typically, the directory listing that would be
exposed would be for $CATALINA_BASE/webapps.

External references:

http://seclists.org/bugtraq/2016/Feb/149

Comment 12 errata-xmlrpc 2016-07-18 19:07:05 UTC
This issue has been addressed in the following products:

   Red Hat JBoss Enterprise Application Platform

Via RHSA-2016:1435 https://rhn.redhat.com/errata/RHSA-2016-1435.html

Comment 13 errata-xmlrpc 2016-07-18 19:41:50 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434

Comment 14 errata-xmlrpc 2016-07-18 19:42:31 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432

Comment 15 errata-xmlrpc 2016-07-18 19:45:41 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433

Comment 19 errata-xmlrpc 2016-10-10 20:42:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html

Comment 20 errata-xmlrpc 2016-11-03 21:09:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html