Bug 1636512 (CVE-2018-11784)

Summary: CVE-2018-11784 tomcat: Open redirect in default servlet
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aferreir, aileenc, alazarot, alee, anstephe, avibelli, bgeorges, bmaxwell, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dimitris, dosoudil, drieden, etirelli, fgavrilo, gandavar, gvarsami, gzaronik, hhorak, ibek, ikanello, ivan.afonichev, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jdoyle, jochrist, jolee, jondruse, jorton, jpallich, jschatte, jshepherd, jstastny, kconner, krathod, krzysztof.daniel, kverlaen, ldimaggi, lgao, loleary, lpetrovi, lthon, mbabacek, mizdebsk, mszynkie, myarboro, nwallace, paradhya, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, rhcs-maint, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, spinder, tcunning, theute, tkirby, trogers, twalsh, vhalbert, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 9.0.12, tomcat 8.5.34, tomcat 7.0.91 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:39:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1636513, 1636514, 1641873, 1641874, 1676828, 1711342    
Bug Blocks: 1636515    

Description Pedro Sampaio 2018-10-05 15:00:38 UTC 
A flaw was found in Apache tomcat. When the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

References:

https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E
Comment 1 Pedro Sampaio 2018-10-05 15:01:57 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1636514]
Affects: fedora-all [bug 1636513]
Comment 2 Tomas Hoger 2018-10-05 19:11:40 UTC 
External References:

http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.12
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.91
Comment 3 Tomas Hoger 2018-10-05 19:12:58 UTC 
Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1840055  9.0.x
http://svn.apache.org/viewvc?view=revision&revision=1840056  8.5.x
http://svn.apache.org/viewvc?view=revision&revision=1840057  7.0.x
Comment 5 Doran Moppert 2018-10-23 04:32:48 UTC 
This vulnerability does not affect Tomcat 6.0.24 as Response.sendRedirect() always sends an absolute URL.

Vulnerable versions of Tomcat may not be exploitable under either the following conditions:

 - if org.apache.catalina.STRICT_SERVLET_COMPLIANCE set to true
 - if org.apache.catalina.servlets.DefaultServlet is either:
   - not deployed at all
   - only deployed with Context attribute useRelativeRedirects set to false
   - only deploted with both Context attributes mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled are set to false
Comment 8 errata-xmlrpc 2019-01-22 13:36:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0130
Comment 9 errata-xmlrpc 2019-01-22 13:41:19 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2019:0131 https://access.redhat.com/errata/RHSA-2019:0131
Comment 10 errata-xmlrpc 2019-03-13 15:50:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0485 https://access.redhat.com/errata/RHSA-2019:0485
Comment 12 Joshua Padman 2019-05-15 22:51:14 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Grid 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 13 errata-xmlrpc 2019-06-18 17:21:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529