Bug 1540828 (CVE-2017-15706)

Summary: CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alee, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, darran.lofthouse, dedgar, dimitris, dmcphers, dmoppert, dosoudil, drieden, fgavrilo, gzaronik, hchiorea, hhorak, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jgoulding, jolee, jondruse, jorton, jschatte, jshepherd, jstastny, krzysztof.daniel, lgao, mbabacek, mizdebsk, myarboro, nwallace, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 9.0.2, tomcat 8.5.24, tomcat 8.0.48, tomcat 7.0.84 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:39:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1540830, 1541080, 1541081, 1541082    
Bug Blocks: 1540831    

Description Sam Fowler 2018-02-01 05:41:40 UTC 
The description of the search algorithm used by the CGI Servlet to identify which script to execute was incorrect. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that it is only the documentation that was incorrect, the behaviour of the CGI servlet remains unchanged.

Versions Affected:
Apache Tomcat 9.0.0.M22 to 9.0.1
Apache Tomcat 8.5.16 to 8.5.23
Apache Tomcat 8.0.45 to 8.0.47
Apache Tomcat 7.0.79 to 7.0.82

Upstream Advisory:
http://tomcat.10.x6.nabble.com/SECURITY-CVE-2017-15706-Apache-Tomcat-Incorrectly-documented-CGI-search-algorithm-td5071565.html
Comment 3 Tomas Hoger 2018-02-01 16:11:11 UTC 
Upstream indicates that the problematic documentation was introduced as part of the fix for the following upstream bug report:

https://bz.apache.org/bugzilla/show_bug.cgi?id=61201

Matching commit is:

http://svn.apache.org/viewvc?view=revision&revision=1799368

Upstream commits correcting the documentation (for various supported branches):

http://svn.apache.org/viewvc?view=rev&rev=1814825  9.x
http://svn.apache.org/viewvc?view=rev&rev=1814827  8.x
http://svn.apache.org/viewvc?view=rev&rev=1814828  7.x

As the relevant part of the documentation was only recently introduced upstream, it is not yet included in the Tomcat packages as shipped in Red Hat Enterprise Linux.
Comment 4 Tomas Hoger 2018-02-01 16:13:32 UTC 
External References:

http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.2
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.84
Comment 6 Tomas Hoger 2018-02-01 16:15:16 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1541082]
Affects: fedora-all [bug 1541081]