Bug 1311076 (CVE-2015-5351)

Summary: CVE-2015-5351 tomcat: CSRF token leak
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: csutherl, dknox, hannsj_uhl, jclere, jdoyle, lgao, mbabacek, myarboro, pslavice, rsvoboda, twalsh, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 8.0.32, tomcat 7.0.68 Doc Type: Bug Fix
Doc Text:
A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:48:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1311095, 1311102, 1316027, 1316028, 1321767, 1321768, 1321769, 1347132, 1347133, 1352009, 1381944    
Bug Blocks: 1311109, 1318206, 1382592    

Description Andrej Nemec 2016-02-23 10:51:25 UTC 
The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
unauthenticated request to the root of the web application. This token
could then be used by an attacker to construct a CSRF attack.

External references:

http://seclists.org/bugtraq/2016/Feb/148
Comment 1 Andrej Nemec 2016-02-23 11:54:40 UTC 
Upstream patches:

Tomcat7:

http://svn.apache.org/viewvc?view=revision&revision=1720661
http://svn.apache.org/viewvc?view=revision&revision=1720663

Tomcat8:

http://svn.apache.org/viewvc?view=revision&revision=1720658
http://svn.apache.org/viewvc?view=revision&revision=1720660
Comment 5 errata-xmlrpc 2016-05-17 16:15:14 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Comment 6 errata-xmlrpc 2016-05-17 16:32:03 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
Comment 7 errata-xmlrpc 2016-05-17 16:33:17 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
Comment 10 Fedora Update System 2016-09-01 16:19:42 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-09-02 09:21:31 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2016-11-03 21:10:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html
Comment 16 errata-xmlrpc 2016-11-17 20:33:43 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
Comment 17 errata-xmlrpc 2016-11-17 20:37:30 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html