Bug 1459158 - (CVE-2017-5664) CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170606,repo...
: Security
Depends On: 1459162 1460635 1461291 1459160 1459161 1459746 1459747 1459752 1460573 1461292 1461631 1463611
Blocks: 1446025 1446026 1459164 1479475 1482229 1485997
  Show dependency treegraph
 
Reported: 2017-06-06 08:36 EDT by Adam Mariš
Modified: 2017-10-29 20:41 EDT (History)
68 users (show)

See Also:
Fixed In Version: tomcat 7.0.78, tomcat 8.0.44, tomcat 8.5.15
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-06-06 08:36:48 EDT
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.

If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTT method. Tomcat's Default Servlet did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.

Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1793470
https://svn.apache.org/viewvc?view=revision&revision=1793489

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1793469
https://svn.apache.org/viewvc?view=revision&revision=1793488

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15
Comment 1 Adam Mariš 2017-06-06 08:38:25 EDT
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1459162]


Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1459161]
Affects: fedora-all [bug 1459160]
Comment 4 Daniel Murygin 2017-06-09 06:14:51 EDT
Is Tomcat 6 affected by this bug? Tomcat 6 is still in the repository of RHEL 6. RHEL. Extended support for RHEL 6 ends in November 2020. Will there be a fix for Tomcat 6 in the RHEL 6 repository?
Comment 11 Timothy Walsh 2017-06-14 03:26:30 EDT
Mitigation:

If it is necessary to have the DefaultServlet property readonly=false, use a jsp error page, for example Error404.jsp rather than a static html error page. Alternatively do not specify an error-page in the Deployment Descriptor and use a custom ErrorReportValve.
Comment 22 errata-xmlrpc 2017-07-25 12:46:46 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
Comment 23 errata-xmlrpc 2017-07-25 13:47:53 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.1

Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
Comment 24 errata-xmlrpc 2017-07-27 02:11:40 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1809 https://access.redhat.com/errata/RHSA-2017:1809
Comment 25 errata-xmlrpc 2017-08-21 11:26:43 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2

Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494
Comment 26 errata-xmlrpc 2017-08-21 11:35:26 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493
Comment 27 errata-xmlrpc 2017-09-05 10:33:12 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:2633 https://access.redhat.com/errata/RHSA-2017:2633
Comment 28 errata-xmlrpc 2017-09-05 11:12:38 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:2636 https://access.redhat.com/errata/RHSA-2017:2636
Comment 29 errata-xmlrpc 2017-09-05 11:14:03 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:2637 https://access.redhat.com/errata/RHSA-2017:2637
Comment 30 errata-xmlrpc 2017-09-05 11:15:29 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2635 https://access.redhat.com/errata/RHSA-2017:2635
Comment 31 errata-xmlrpc 2017-09-05 11:37:48 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2638 https://access.redhat.com/errata/RHSA-2017:2638
Comment 32 errata-xmlrpc 2017-10-29 20:17:00 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080
Comment 33 Doran Moppert 2017-10-29 20:41:41 EDT
Statement:

This flaw can be triggered for static error pages only if the readonly property for the DefaultServlet is set to false in the $CATALINA_HOME/conf/web.xml file.  The default for readonly is true.

Note You need to log in before you can comment on or make changes to this bug.