Bug 883634 (CVE-2012-3546)

Summary: CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: djorm, grocha, jstefl, lgao, mjc, pcheung
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20121204,reported=20121205,source=internet,cvss2=5.5/AV:N/AC:L/Au:S/C:P/I:P/A:N,fedora-all/tomcat6=affected,fedora-all/tomcat=affected,rhel-5/tomcat5=affected,rhel-6/tomcat6=affected,brms-5/jbossweb=affected,epp-5/jbossweb=affected,epp-4/jbossweb=affected,soap-5/jbossweb=affected,soap-4.3/jbossweb=affected,soap-4.2/jbossweb=affected,jbews-2/tomcat6=affected,jbews-2/tomcat7=notaffected,jbews-1/tomcat5=affected,jbews-1/tomcat6=affected,jdg-6/jbossweb=notaffected,jon-3.1/jbossweb=notaffected,jboss/eap6=affected,jboss/eap5=affected,jboss/ewp5=affected,jboss/eap4.3=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-12 19:55:55 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 883702, 883704, 883705, 883706, 883707, 883708, 883709, 883710, 883711, 883712, 883713, 883714, 883715, 892849, 892851, 892852, 895771, 896527, 901352, 903925, 913034, 913035, 913036, 915189, 1014384    
Bug Blocks: 789173, 835396, 849517, 883656, 903405    

Description Arun Babu Neelicattu 2012-12-04 22:24:29 EST
When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

Source: Tomcat security pages. [1,2]

[1] http://tomcat.apache.org/security-6.html
[2] http://tomcat.apache.org/security-7.html

Upstream commits:

http://svn.apache.org/viewvc?view=revision&revision=1381035
http://svn.apache.org/viewvc?view=revision&revision=1377892
Comment 4 David Jorm 2012-12-05 01:53:16 EST
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 883702]
Comment 5 David Jorm 2012-12-05 01:53:19 EST
Created tomcat tracking bugs for this issue

Affects: fedora-all [bug 883704]
Comment 17 Fedora Update System 2012-12-19 03:29:45 EST
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2013-01-03 17:55:29 EST
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2013:0005 https://rhn.redhat.com/errata/RHSA-2013-0005.html
Comment 19 errata-xmlrpc 2013-01-03 17:56:04 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.0

Via RHSA-2013:0004 https://rhn.redhat.com/errata/RHSA-2013-0004.html
Comment 20 errata-xmlrpc 2013-01-08 15:35:32 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:0147 https://rhn.redhat.com/errata/RHSA-2013-0147.html
Comment 21 errata-xmlrpc 2013-01-08 15:36:06 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2013:0146 https://rhn.redhat.com/errata/RHSA-2013-0146.html
Comment 22 errata-xmlrpc 2013-01-10 00:42:12 EST
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3.0 CP07

Via RHSA-2013:0151 https://rhn.redhat.com/errata/RHSA-2013-0151.html
Comment 23 errata-xmlrpc 2013-01-14 15:44:58 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0157 https://rhn.redhat.com/errata/RHSA-2013-0157.html
Comment 24 errata-xmlrpc 2013-01-14 15:54:23 EST
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0158 https://rhn.redhat.com/errata/RHSA-2013-0158.html
Comment 25 errata-xmlrpc 2013-01-15 14:03:49 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6 for RHEL 5

Via RHSA-2013:0164 https://rhn.redhat.com/errata/RHSA-2013-0164.html
Comment 26 errata-xmlrpc 2013-01-15 14:03:54 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0163 https://rhn.redhat.com/errata/RHSA-2013-0163.html
Comment 27 errata-xmlrpc 2013-01-15 14:04:26 EST
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 4.2.0.CP05 and 4.3.0.CP05

Via RHSA-2013:0162 https://rhn.redhat.com/errata/RHSA-2013-0162.html
Comment 28 errata-xmlrpc 2013-01-24 13:09:57 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 29 errata-xmlrpc 2013-01-24 13:32:47 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 30 errata-xmlrpc 2013-01-24 13:33:34 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 31 errata-xmlrpc 2013-01-24 13:45:49 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 32 errata-xmlrpc 2013-01-24 13:46:35 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 33 errata-xmlrpc 2013-01-24 13:58:52 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 34 errata-xmlrpc 2013-01-24 13:59:43 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 35 errata-xmlrpc 2013-01-24 14:08:44 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
Comment 36 errata-xmlrpc 2013-01-31 15:31:44 EST
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html
Comment 37 errata-xmlrpc 2013-02-04 18:43:56 EST
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2
  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2013:0235 https://rhn.redhat.com/errata/RHSA-2013-0235.html
Comment 39 David Jorm 2013-02-20 04:32:12 EST
Statement:

Tomcat 5.5 has reached the end of its supported upstream life-cycle, and the Apache Tomcat project no longer tests security flaws to determine whether they affect Tomcat 5.5. Red Hat has tested tomcat 5.5 as shipped with Red Hat Enterprise Linux 5 and JBoss Enterprise Web Server 1, and found that it is affected by this flaw. Patches for tomcat 5.5 to address this flaw have been  provided.
Comment 40 errata-xmlrpc 2013-03-11 15:33:46 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0623 https://rhn.redhat.com/errata/RHSA-2013-0623.html
Comment 41 errata-xmlrpc 2013-03-12 13:57:54 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0642 https://rhn.redhat.com/errata/RHSA-2013-0642.html
Comment 42 errata-xmlrpc 2013-03-12 13:58:03 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0641 https://rhn.redhat.com/errata/RHSA-2013-0641.html
Comment 43 errata-xmlrpc 2013-03-12 14:08:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0640 https://rhn.redhat.com/errata/RHSA-2013-0640.html