Bug 1636512 – CVE-2018-11784 tomcat: Open redirect in default servlet

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1636512 - (CVE-2018-11784) CVE-2018-11784 tomcat: Open redirect in default servlet

Summary:	CVE-2018-11784 tomcat: Open redirect in default servlet

Status:	NEW

Aliases:	CVE-2018-11784

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20181003,repor...
Keywords:	Security

Depends On:	1636513 1636514 1641873 1641874
Blocks:	1636515
	Show dependency tree / graph

Reported:	2018-10-05 11:00 EDT by Pedro Sampaio
Modified:	2018-10-23 00:36 EDT (History)
CC List:	83 users (show)

See Also:
Fixed In Version:	tomcat 9.0.12, tomcat 8.5.34, tomcat 7.0.91
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-10-05 11:00:38 EDT

A flaw was found in Apache tomcat. When the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

References:

https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E

Comment 1 Pedro Sampaio 2018-10-05 11:01:57 EDT

Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1636514]
Affects: fedora-all [bug 1636513]

Comment 2 Tomas Hoger 2018-10-05 15:11:40 EDT

External References:

http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.12
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.91

Comment 3 Tomas Hoger 2018-10-05 15:12:58 EDT

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1840055  9.0.x
http://svn.apache.org/viewvc?view=revision&revision=1840056  8.5.x
http://svn.apache.org/viewvc?view=revision&revision=1840057  7.0.x

Comment 5 Doran Moppert 2018-10-23 00:32:48 EDT

This vulnerability does not affect Tomcat 6.0.24 as Response.sendRedirect() always sends an absolute URL.

Vulnerable versions of Tomcat may not be exploitable under either the following conditions:

 - if org.apache.catalina.STRICT_SERVLET_COMPLIANCE set to true
 - if org.apache.catalina.servlets.DefaultServlet is either:
   - not deployed at all
   - only deployed with Context attribute useRelativeRedirects set to false
   - only deploted with both Context attributes mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled are set to false

Note You need to log in before you can comment on or make changes to this bug.

aferreir
aileenc
alazarot
alee
anstephe
apintea
avibelli
bgeorges
bmaxwell
cdewolf
chazlett
cmoulliard
coolsvap
csutherl
darran.lofthouse
dimitris
dosoudil
drieden
etirelli
fgavrilo
gandavar
gvarsami
gzaronik
hghasemb
hhorak
ibek
ikanello
ivan.afonichev
java-sig-commits
jawilson
jbalunas
jclere
jcoleman
jdoyle
jolee
jondruse
jorton
jpallich
jschatte
jshepherd
jstastny
kconner
krathod
krzysztof.daniel
kverlaen
ldimaggi
lgao
loleary
lpetrovi
lthon
mbabacek
mizdebsk
mszynkie
myarboro
nwallace
paradhya
pgallagh
pgier
pjurak
ppalaga
psakar
pslavice
pszubiak
rhcs-maint
rnetuka
rrajasek
rruss
rstancel
rsvoboda
rsynek
rwagner
rzhang
sdaley
spinder
tcunning
theute
tkirby
trogers
twalsh
vhalbert
vtunka
weli
yozone