Bug 504753 (CVE-2008-5515)

Summary: CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Pavel Kralik <pkralik>
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: dknox, kreilly, kseifried, mvecera, pkralik, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-25 20:11:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 504758, 504759, 504760, 504761, 528911, 528912, 528913, 528914, 533903, 533905    
Bug Blocks:    

Description Marc Schoenefeld 2009-06-09 08:19:48 UTC 
http://marc.info/?l=tomcat-dev&m=124449799021570&w=2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-5515: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
When using a RequestDispatcher obtained from the Request, the target
path was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.

Mitigation:
6.0.x users should upgrade to 6.0.20 or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=734734
5.5.x users should upgrade to 5.5.28 when released or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=782757
4.1.x users should upgrade to 4.1.40 when released or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=782763

Example:
For a page that contains:
<%
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +
    request.getParameter( "blah" ) ).forward( request, response );
%>

an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml

Credit:
This issue was discovered by Iida Minehiko, Fujitsu Limited

References:
http://tomcat.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkotiBQACgkQb7IeiTPGAkMi6QCgnlzEt/7byUJo2YXGHMLj2ckH
rF8AoK8dmpZcxd5pV9VvEaPqm4xhXJPO
=bDV5
-----END PGP SIGNATURE-----
Comment 4 Marc Schoenefeld 2009-06-10 14:41:53 UTC 
5.5.x revision have been extended to: 

This was fixed in revision 782757 and  revision 783291.
(http://tomcat.apache.org/security-5.html)

4.1.x revisions have been extended to: 

This was fixed in revision 782763 and  revision 783292.
(http://tomcat.apache.org/security-4.html)
Comment 5 errata-xmlrpc 2009-07-06 11:41:10 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1145 https://rhn.redhat.com/errata/RHSA-2009-1145.html
Comment 6 errata-xmlrpc 2009-07-06 11:41:37 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1146 https://rhn.redhat.com/errata/RHSA-2009-1146.html
Comment 7 errata-xmlrpc 2009-07-06 11:42:27 UTC 
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1143 https://rhn.redhat.com/errata/RHSA-2009-1143.html
Comment 8 errata-xmlrpc 2009-07-06 11:42:41 UTC 
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1144 https://rhn.redhat.com/errata/RHSA-2009-1144.html
Comment 9 errata-xmlrpc 2009-07-21 20:56:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Comment 10 errata-xmlrpc 2009-09-21 15:51:58 UTC 
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4
  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1454 https://rhn.redhat.com/errata/RHSA-2009-1454.html
Comment 14 errata-xmlrpc 2009-10-14 16:15:27 UTC 
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 5
  JBEWS 1.0.0 for RHEL 4

Via RHSA-2009:1506 https://rhn.redhat.com/errata/RHSA-2009-1506.html
Comment 15 errata-xmlrpc 2009-11-09 15:26:33 UTC 
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
Comment 16 errata-xmlrpc 2009-11-09 15:37:43 UTC 
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2009:1563 https://rhn.redhat.com/errata/RHSA-2009-1563.html
Comment 21 errata-xmlrpc 2009-11-30 15:16:24 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.2
  Red Hat Network Satellite Server v 5.3

Via RHSA-2009:1616 https://rhn.redhat.com/errata/RHSA-2009-1616.html
Comment 22 errata-xmlrpc 2009-11-30 15:18:16 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1617 https://rhn.redhat.com/errata/RHSA-2009-1617.html
Comment 23 errata-xmlrpc 2010-08-04 21:31:14 UTC 
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Comment 24 Kurt Seifried 2011-10-25 20:11:45 UTC 
All children bugs are closed, closing parent bug