Bug 883634 (CVE-2012-3546)

Summary: CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: djorm, grocha, jstefl, lgao, mjc, pcheung
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-12 23:55:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 883702, 883704, 883705, 883706, 883707, 883708, 883709, 883710, 883711, 883712, 883713, 883714, 883715, 892849, 892851, 892852, 895771, 896527, 901352, 903925, 913034, 913035, 913036, 915189, 1014384    
Bug Blocks: 789173, 835396, 849517, 883656, 903405    

Description Arun Babu Neelicattu 2012-12-05 03:24:29 UTC 
When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

Source: Tomcat security pages. [1,2]

[1] http://tomcat.apache.org/security-6.html
[2] http://tomcat.apache.org/security-7.html

Upstream commits:

http://svn.apache.org/viewvc?view=revision&revision=1381035
http://svn.apache.org/viewvc?view=revision&revision=1377892
Comment 4 David Jorm 2012-12-05 06:53:16 UTC 
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 883702]
Comment 5 David Jorm 2012-12-05 06:53:19 UTC 
Created tomcat tracking bugs for this issue

Affects: fedora-all [bug 883704]
Comment 17 Fedora Update System 2012-12-19 08:29:45 UTC 
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2013-01-03 22:55:29 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2013:0005 https://rhn.redhat.com/errata/RHSA-2013-0005.html
Comment 19 errata-xmlrpc 2013-01-03 22:56:04 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.0

Via RHSA-2013:0004 https://rhn.redhat.com/errata/RHSA-2013-0004.html
Comment 20 errata-xmlrpc 2013-01-08 20:35:32 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:0147 https://rhn.redhat.com/errata/RHSA-2013-0147.html
Comment 21 errata-xmlrpc 2013-01-08 20:36:06 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2013:0146 https://rhn.redhat.com/errata/RHSA-2013-0146.html
Comment 22 errata-xmlrpc 2013-01-10 05:42:12 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3.0 CP07

Via RHSA-2013:0151 https://rhn.redhat.com/errata/RHSA-2013-0151.html
Comment 23 errata-xmlrpc 2013-01-14 20:44:58 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0157 https://rhn.redhat.com/errata/RHSA-2013-0157.html
Comment 24 errata-xmlrpc 2013-01-14 20:54:23 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0158 https://rhn.redhat.com/errata/RHSA-2013-0158.html
Comment 25 errata-xmlrpc 2013-01-15 19:03:49 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6 for RHEL 5

Via RHSA-2013:0164 https://rhn.redhat.com/errata/RHSA-2013-0164.html
Comment 26 errata-xmlrpc 2013-01-15 19:03:54 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0163 https://rhn.redhat.com/errata/RHSA-2013-0163.html
Comment 27 errata-xmlrpc 2013-01-15 19:04:26 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 4.2.0.CP05 and 4.3.0.CP05

Via RHSA-2013:0162 https://rhn.redhat.com/errata/RHSA-2013-0162.html
Comment 28 errata-xmlrpc 2013-01-24 18:09:57 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 29 errata-xmlrpc 2013-01-24 18:32:47 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 30 errata-xmlrpc 2013-01-24 18:33:34 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 31 errata-xmlrpc 2013-01-24 18:45:49 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 32 errata-xmlrpc 2013-01-24 18:46:35 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 33 errata-xmlrpc 2013-01-24 18:58:52 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 34 errata-xmlrpc 2013-01-24 18:59:43 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 35 errata-xmlrpc 2013-01-24 19:08:44 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
Comment 36 errata-xmlrpc 2013-01-31 20:31:44 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html
Comment 37 errata-xmlrpc 2013-02-04 23:43:56 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2
  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2013:0235 https://rhn.redhat.com/errata/RHSA-2013-0235.html
Comment 39 David Jorm 2013-02-20 09:32:12 UTC 
Statement:

Tomcat 5.5 has reached the end of its supported upstream life-cycle, and the Apache Tomcat project no longer tests security flaws to determine whether they affect Tomcat 5.5. Red Hat has tested tomcat 5.5 as shipped with Red Hat Enterprise Linux 5 and JBoss Enterprise Web Server 1, and found that it is affected by this flaw. Patches for tomcat 5.5 to address this flaw have been  provided.
Comment 40 errata-xmlrpc 2013-03-11 19:33:46 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0623 https://rhn.redhat.com/errata/RHSA-2013-0623.html
Comment 41 errata-xmlrpc 2013-03-12 17:57:54 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0642 https://rhn.redhat.com/errata/RHSA-2013-0642.html
Comment 42 errata-xmlrpc 2013-03-12 17:58:03 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0641 https://rhn.redhat.com/errata/RHSA-2013-0641.html
Comment 43 errata-xmlrpc 2013-03-12 18:08:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0640 https://rhn.redhat.com/errata/RHSA-2013-0640.html