Bug 734868 (CVE-2011-3190)
| Summary: | CVE-2011-3190 tomcat: authentication bypass and information disclosure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alee, awnuk, cfu, csutherl, devrim, djorm, dknox, dwalluck, extras-orphan, jdennis, jlieskov, jmagne, jpazdziora, jscotka, luke+redhat, mharmsen, mhasko, pcheung, robinlee.sysu, sochotni, SpikeFedora, tromey |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 5.5.34 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-23 01:44:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 738501, 738502, 738503, 738504, 738505, 738506, 738507 | ||
| Bug Blocks: | 734869 | ||
|
Description
Vincent Danen
2011-08-31 17:06:17 UTC
Tomcat 5 as shipped with Red Hat Enterprise Linux 5 and tomcat 6 as shipped with Red Hat Enterprise Linux 6 are not affected by this flaw when using the default connector configuration. If tomcat native components (APR) are not present, tomcat 5 and 6 will failover to using the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector, which is not vulnerable. There are three different AJP connectors shipped with Red Hat products: org.apache.coyote.ajp.AjpProcessor (Coyote) org.apache.jk.server.JkCoyoteHandler (JK) org.apache.coyote.ajp.AjpAprProcessor (APR) APR is only provided as part of tomcat-native, which is not shipped with Red Hat Enterprise Linux 5 and 6. This flaw affects major Red Hat products as follows: Tomcat 5 (RHEL 5): Coyote not available, JK not affected. Product not affected. Tomcat 5 (EWS 1): Coyote not available, JK not affected, APR affected. Product affected. Customers only affected if using tomcat-native. Tomcat 6 (RHEL 6): Coyote affected. JK not affected. Product affected. Customers only affected if using Coyote, which is not the default and needs to be manually configured. Tomcat 6 (EWS 1): Coyote affected, JK not affected, APR affected. Product affected. JBoss Web: All products using JBoss Web are not affected. A patch made back in 2008 mitigated this vulnerability. Patch documented here: https://issues.jboss.org/browse/JBWEB-117 Commit diff here: http://source.jboss.org/changelog/JBossWeb/?cs=770 Next on the list. Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 738502] Created tomcat5 tracking bugs for this issue Affects: fedora-all [bug 738501] Updated mitigation options for Tomcat-5 from upstream: ====================================================== Mitigation options: 1) Upgrade to Tomcat 5.5.34. 2) Apply the appropriate patch. 3) Configure both Tomcat and the reverse proxy to use a shared secret. (It is "request.secret" attribute in AJP <Connector>, "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module currently does not support shared secrets). 4) Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. (It is automatically selected if you do not have Tomcat-Native library installed. It can be also selected explicitly: <Connector protocol="org.apache.jk.server.JkCoyoteHandler">). Relevant patch mentioned in point 2): http://svn.apache.org/viewvc?view=rev&rev=1162960 Updated mitigation options for Tomcat-6 from upstream: ====================================================== Mitigation options: 1) Upgrade to Tomcat 6.0.34. 2) Apply the appropriate patch. 3) Configure both Tomcat and the reverse proxy to use a shared secret. (It is "request.secret" attribute in AJP <Connector>, "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module currently does not support shared secrets). 4) Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. (It is automatically selected if you do not have Tomcat-Native library installed. It can be also selected explicitly: <Connector protocol="org.apache.jk.server.JkCoyoteHandler">). Relevant patch mentioned in point 2): http://svn.apache.org/viewvc?view=rev&rev=1162959 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1780 https://rhn.redhat.com/errata/RHSA-2011-1780.html Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)? (In reply to comment #23) > Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)? An erratum for EWS 1.0.2 is in progress. It is currently awaiting QE. This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html |