Bug 612799 (CVE-2010-2227)

Summary: CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Transfer-Encoding' header
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alee, awnuk, cfu, devrim, djorm, dknox, dpospisi, dwalluck, eric, extras-orphan, jlieskov, jmagne, jsherril, manderse, mharmsen, mjc, mschoene, myarboro, pcheung, pjha, rafaels, rruss, skakar, tao, theute, tromey
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20100708,reported=20100708,source=internet,impact=important,cvss2=6.4/AV:N/AC:L/Au:N/C:P/I:N/A:P,fedora-all/tomcat6=affected,rhel-6/tomcat6=affected,jbews-1-el4/tomcat6=affected,jbews-1-el5/tomcat6=affected,fedora-all/tomcat5=affected,rhel-5/tomcat5=affected,jbews-1-el4/tomcat5=affected,jbews-1-el5/tomcat5=affected,RHAPS-EL4/tomcat5=affected,RHDS3/Platform=affected,certificate_system_7.2/Other=affected,certificate_system_7.3/Other=affected,rhn_satellite_5.0/Server=affected,rhn_satellite_5.1/Server=affected,rhn_satellite_5.2/Server=affected,rhn_satellite_5.3/Server=affected
Fixed In Version: tomcat5 5.5.30, tomcat6 6.0.28 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-16 18:36:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 613004, 613005, 613944, 613945, 613946, 613948, 614422, 614424, 616750, 616751, 617501, 632313, 632314    
Bug Blocks:    

Description Vincent Danen 2010-07-09 04:17:46 UTC
A flaw in the handling of the 'Transfer-Encoding' header was found. A
remote attacker could trigger this flaw which would cause subsequent
requests to fail or information to leak between requests. This flaw is
mitigated if Tomcat is behind a proxy as the proxy should reject the
invalid transfer encoding header.

This was fixed in r958977:

http://svn.apache.org/viewvc?view=revision&revision=958977

Upstream 6.0.28 corrects this flaw as noted:

http://tomcat.apache.org/security-6.html

There is no upstream indication that this has been fixed in Tomcat5, however the patches mostly apply (a few rejects) with fuzz.

Comment 4 Vincent Danen 2010-07-09 15:47:38 UTC
Tomcat 5.5.30 is available to fix this flaw:

http://tomcat.apache.org/security-5.html

And the svn revision (patches) to correct it:

http://svn.apache.org/viewvc?view=revision&revision=959428

Comment 18 Jan Lieskovsky 2010-07-27 08:00:51 UTC
This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Enterprise Linux 5.

This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Application Server v2.

This flaw affects the versions of the tomcat5 and tomcat6 packages,
as shipped with JBoss Enterprise Web Server 1.0.1 for Red Hat
Enterprise Linux 4 and 5.

This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Developer Suite 3.

Comment 21 errata-xmlrpc 2010-08-02 20:00:09 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0580 https://rhn.redhat.com/errata/RHSA-2010-0580.html

Comment 22 errata-xmlrpc 2010-08-02 20:17:47 UTC
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2010:0582 https://rhn.redhat.com/errata/RHSA-2010-0582.html

Comment 23 errata-xmlrpc 2010-08-02 20:17:58 UTC
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2010:0583 https://rhn.redhat.com/errata/RHSA-2010-0583.html

Comment 24 errata-xmlrpc 2010-08-02 20:18:05 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.2.0 for RHEL 5
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0584 https://rhn.redhat.com/errata/RHSA-2010-0584.html

Comment 25 errata-xmlrpc 2010-08-02 20:39:07 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2010:0581 https://rhn.redhat.com/errata/RHSA-2010-0581.html

Comment 26 Vincent Danen 2010-09-09 16:51:23 UTC
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 632313]

Comment 27 Vincent Danen 2010-09-09 16:51:31 UTC
Created tomcat5 tracking bugs for this issue

Affects: fedora-all [bug 632314]

Comment 28 errata-xmlrpc 2010-09-10 08:37:20 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0693 https://rhn.redhat.com/errata/RHSA-2010-0693.html

Comment 29 David Jorm 2012-03-28 00:18:50 UTC
This issue has been addressed in an asynchronous patch to JBoss Enterprise Application Platform 5.0.1, available here (login required):

https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=3683&product=appplatform&version=5.0.1&downloadType=securityPatches

It is also fixed in all subsequent versions of JBoss Enterprise Application Platform 5.