This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 466875 - (CVE-2008-3271) CVE-2008-3271 tomcat RemoteFilterValve Information disclosure
CVE-2008-3271 tomcat RemoteFilterValve Information disclosure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=asf,public=20081009,reported=2...
: Security
Depends On: 468344 468345 468346 468348 470238 470239
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-14 06:30 EDT by Marc Schoenefeld
Modified: 2011-09-30 16:44 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-30 16:44:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2008-10-14 06:30:42 EDT
List:       bugtraq
Subject:    [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure
From:       Mark Thomas <markt () apache ! org>
Date:       2008-10-09 22:46:19
Message-ID: 48EE89BB.3000203 () apache ! org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-3271: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.31
Tomcat 5.5.0
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.

Mitigation:
Upgrade to:
4.1.32 or later
5.5.1 or later
6.0.0 or later

Example:
This has only been reproduced using a debugger to force a particular
processing sequence across two threads.

    1. Set a breakpoint right after the place where a value
       is to be entered in the instance variable of regexp
       (search:org.apache.regexp.CharacterIterator).

    2. Send a request from the IP address* which is not permitted.
       (stopped at the breakpoint)

       *About the IP address which is not permitted.
       The character strings length of the IP address which is set
       in RemoteAddrValve must be same.

    3. Send a request from the IP address which was set in
       RemoteAddrValve.
       (stopped at the breakpoint)
       In this way, the instance variable is to be overwritten here.

    4. Resume the thread which is processing the step 2 above.

    5. The request from the not permitted IP address will succeed.

Credit:
This issue was discovered by Kenichi Tsukamoto (Development Dept. II,
Application Management Middleware Div., FUJITSU LIMITED) and reported to
the Tomcat security team via JPCERT.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt
OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj
=9Z/F
-----END PGP SIGNATURE-----
Comment 1 Marc Schoenefeld 2008-10-15 09:22:11 EDT
Created attachment 320434 [details]
Patch draft for RequestFilterValve.java taken from source code diff tomcat 4.1.31 to 4.1.32 

The basic idea of this patch draft is to replace thread-unsafe RE objects with thread-safe REProgram objects and generate the RE object on the fly when needed to check.  

This source code diff still needs forward porting to tomcat 5.0.x
Comment 2 Fernando Nasser 2008-10-20 10:00:59 EDT
Have you shown this to Remy and Jean-Frederic?  What did they say?  Thanks.
Comment 7 Kurt Seifried 2011-09-30 16:44:17 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite (v. 5.0 for RHEL 4)
  Red Hat Network Satellite (v. 5.1 for RHEL 4)

Via RHSA-2008:1007 available at https://rhn.redhat.com/errata/RHSA-2008-1007.html

Note You need to log in before you can comment on or make changes to this bug.