Bug 1459158 (CVE-2017-5664) - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
Summary: CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-5664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1459160 1459161 1459162 1459746 1459747 1459752 1460573 1460635 1461291 1461292 1461631 1463611
Blocks: 1446025 1446026 1459164 1479475 1482229 1485997
TreeView+ depends on / blocked
 
Reported: 2017-06-06 12:36 UTC by Adam Mariš
Modified: 2021-02-17 02:03 UTC (History)
60 users (show)

Fixed In Version: tomcat 7.0.78, tomcat 8.0.44, tomcat 8.5.15
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:14:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1801 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update 2017-07-25 20:44:35 UTC
Red Hat Product Errata RHSA-2017:1802 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server Service Pack 1 security update 2017-07-25 21:46:13 UTC
Red Hat Product Errata RHSA-2017:1809 0 normal SHIPPED_LIVE Important: tomcat security update 2017-07-27 10:10:12 UTC
Red Hat Product Errata RHSA-2017:2493 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2 security update 2017-08-21 19:33:48 UTC
Red Hat Product Errata RHSA-2017:2494 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2 security update 2017-08-21 19:22:58 UTC
Red Hat Product Errata RHSA-2017:2633 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update 2017-09-05 18:32:20 UTC
Red Hat Product Errata RHSA-2017:2635 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 6 2017-09-05 19:07:46 UTC
Red Hat Product Errata RHSA-2017:2636 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 7 2017-09-05 19:01:10 UTC
Red Hat Product Errata RHSA-2017:2637 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 5 2017-09-05 19:04:25 UTC
Red Hat Product Errata RHSA-2017:2638 0 normal SHIPPED_LIVE Important: jboss-ec2-eap security, bug fix, and enhancement update 2017-09-05 19:36:46 UTC
Red Hat Product Errata RHSA-2017:3080 0 normal SHIPPED_LIVE Important: tomcat6 security update 2017-10-30 04:15:02 UTC

Description Adam Mariš 2017-06-06 12:36:48 UTC
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.

If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTT method. Tomcat's Default Servlet did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.

Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1793470
https://svn.apache.org/viewvc?view=revision&revision=1793489

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1793469
https://svn.apache.org/viewvc?view=revision&revision=1793488

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15

Comment 1 Adam Mariš 2017-06-06 12:38:25 UTC
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1459162]


Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1459161]
Affects: fedora-all [bug 1459160]

Comment 4 Daniel Murygin 2017-06-09 10:14:51 UTC
Is Tomcat 6 affected by this bug? Tomcat 6 is still in the repository of RHEL 6. RHEL. Extended support for RHEL 6 ends in November 2020. Will there be a fix for Tomcat 6 in the RHEL 6 repository?

Comment 11 Timothy Walsh 2017-06-14 07:26:30 UTC
Mitigation:

If it is necessary to have the DefaultServlet property readonly=false, use a jsp error page, for example Error404.jsp rather than a static html error page. Alternatively do not specify an error-page in the Deployment Descriptor and use a custom ErrorReportValve.

Comment 22 errata-xmlrpc 2017-07-25 16:46:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801

Comment 23 errata-xmlrpc 2017-07-25 17:47:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.1

Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802

Comment 24 errata-xmlrpc 2017-07-27 06:11:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1809 https://access.redhat.com/errata/RHSA-2017:1809

Comment 25 errata-xmlrpc 2017-08-21 15:26:43 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2

Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494

Comment 26 errata-xmlrpc 2017-08-21 15:35:26 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493

Comment 27 errata-xmlrpc 2017-09-05 14:33:12 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:2633 https://access.redhat.com/errata/RHSA-2017:2633

Comment 28 errata-xmlrpc 2017-09-05 15:12:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:2636 https://access.redhat.com/errata/RHSA-2017:2636

Comment 29 errata-xmlrpc 2017-09-05 15:14:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:2637 https://access.redhat.com/errata/RHSA-2017:2637

Comment 30 errata-xmlrpc 2017-09-05 15:15:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2635 https://access.redhat.com/errata/RHSA-2017:2635

Comment 31 errata-xmlrpc 2017-09-05 15:37:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2638 https://access.redhat.com/errata/RHSA-2017:2638

Comment 32 errata-xmlrpc 2017-10-30 00:17:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080

Comment 33 Doran Moppert 2017-10-30 00:41:41 UTC
Statement:

This flaw can be triggered for static error pages only if the readonly property for the DefaultServlet is set to false in the $CATALINA_HOME/conf/web.xml file.  The default for readonly is true.


Note You need to log in before you can comment on or make changes to this bug.