List: bugtraq Subject: [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure From: Mark Thomas <markt () apache ! org> Date: 2008-10-09 22:46:19 Message-ID: 48EE89BB.3000203 () apache ! org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-3271: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.31 Tomcat 5.5.0 Tomcat 6.0.x is not affected The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can, in very rare circumstances, permit a user from a non-permitted IP address to gain access to a context protected with a valve that extends RemoteFilterValve. Mitigation: Upgrade to: 4.1.32 or later 5.5.1 or later 6.0.0 or later Example: This has only been reproduced using a debugger to force a particular processing sequence across two threads. 1. Set a breakpoint right after the place where a value is to be entered in the instance variable of regexp (search:org.apache.regexp.CharacterIterator). 2. Send a request from the IP address* which is not permitted. (stopped at the breakpoint) *About the IP address which is not permitted. The character strings length of the IP address which is set in RemoteAddrValve must be same. 3. Send a request from the IP address which was set in RemoteAddrValve. (stopped at the breakpoint) In this way, the instance variable is to be overwritten here. 4. Resume the thread which is processing the step 2 above. 5. The request from the not permitted IP address will succeed. Credit: This issue was discovered by Kenichi Tsukamoto (Development Dept. II, Application Management Middleware Div., FUJITSU LIMITED) and reported to the Tomcat security team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj =9Z/F -----END PGP SIGNATURE-----
Created attachment 320434 [details] Patch draft for RequestFilterValve.java taken from source code diff tomcat 4.1.31 to 4.1.32 The basic idea of this patch draft is to replace thread-unsafe RE objects with thread-safe REProgram objects and generate the RE object on the fly when needed to check. This source code diff still needs forward porting to tomcat 5.0.x
Have you shown this to Remy and Jean-Frederic? What did they say? Thanks.
This issue has been addressed in following products: Red Hat Network Satellite (v. 5.0 for RHEL 4) Red Hat Network Satellite (v. 5.1 for RHEL 4) Via RHSA-2008:1007 available at https://rhn.redhat.com/errata/RHSA-2008-1007.html