Bug 466875 (CVE-2008-3271)

Summary: CVE-2008-3271 tomcat RemoteFilterValve Information disclosure
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dwalluck, fnasser, kseifried, mjc, mschoene
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 20:44:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 468344, 468345, 468346, 468348, 470238, 470239    
Bug Blocks:    

Description Marc Schoenefeld 2008-10-14 10:30:42 UTC 
List:       bugtraq
Subject:    [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure
From:       Mark Thomas <markt () apache ! org>
Date:       2008-10-09 22:46:19
Message-ID: 48EE89BB.3000203 () apache ! org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-3271: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.31
Tomcat 5.5.0
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.

Mitigation:
Upgrade to:
4.1.32 or later
5.5.1 or later
6.0.0 or later

Example:
This has only been reproduced using a debugger to force a particular
processing sequence across two threads.

    1. Set a breakpoint right after the place where a value
       is to be entered in the instance variable of regexp
       (search:org.apache.regexp.CharacterIterator).

    2. Send a request from the IP address* which is not permitted.
       (stopped at the breakpoint)

       *About the IP address which is not permitted.
       The character strings length of the IP address which is set
       in RemoteAddrValve must be same.

    3. Send a request from the IP address which was set in
       RemoteAddrValve.
       (stopped at the breakpoint)
       In this way, the instance variable is to be overwritten here.

    4. Resume the thread which is processing the step 2 above.

    5. The request from the not permitted IP address will succeed.

Credit:
This issue was discovered by Kenichi Tsukamoto (Development Dept. II,
Application Management Middleware Div., FUJITSU LIMITED) and reported to
the Tomcat security team via JPCERT.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt
OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj
=9Z/F
-----END PGP SIGNATURE-----
Comment 1 Marc Schoenefeld 2008-10-15 13:22:11 UTC 
Created attachment 320434 [details]
Patch draft for RequestFilterValve.java taken from source code diff tomcat 4.1.31 to 4.1.32 

The basic idea of this patch draft is to replace thread-unsafe RE objects with thread-safe REProgram objects and generate the RE object on the fly when needed to check.  

This source code diff still needs forward porting to tomcat 5.0.x
Comment 2 Fernando Nasser 2008-10-20 14:00:59 UTC 
Have you shown this to Remy and Jean-Frederic?  What did they say?  Thanks.
Comment 7 Kurt Seifried 2011-09-30 20:44:17 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite (v. 5.0 for RHEL 4)
  Red Hat Network Satellite (v. 5.1 for RHEL 4)

Via RHSA-2008:1007 available at https://rhn.redhat.com/errata/RHSA-2008-1007.html