Bug 466875 - (CVE-2008-3271) CVE-2008-3271 tomcat RemoteFilterValve Information disclosure
CVE-2008-3271 tomcat RemoteFilterValve Information disclosure
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 468344 468345 468346 468348 470238 470239
  Show dependency treegraph
Reported: 2008-10-14 06:30 EDT by Marc Schoenefeld
Modified: 2011-09-30 16:44 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-30 16:44:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2008-10-14 06:30:42 EDT
List:       bugtraq
Subject:    [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure
From:       Mark Thomas <markt () apache ! org>
Date:       2008-10-09 22:46:19
Message-ID: 48EE89BB.3000203 () apache ! org

Hash: SHA1

CVE-2008-3271: Tomcat information disclosure vulnerability

Severity: Low

The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.31
Tomcat 5.5.0
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends

Upgrade to:
4.1.32 or later
5.5.1 or later
6.0.0 or later

This has only been reproduced using a debugger to force a particular
processing sequence across two threads.

    1. Set a breakpoint right after the place where a value
       is to be entered in the instance variable of regexp

    2. Send a request from the IP address* which is not permitted.
       (stopped at the breakpoint)

       *About the IP address which is not permitted.
       The character strings length of the IP address which is set
       in RemoteAddrValve must be same.

    3. Send a request from the IP address which was set in
       (stopped at the breakpoint)
       In this way, the instance variable is to be overwritten here.

    4. Resume the thread which is processing the step 2 above.

    5. The request from the not permitted IP address will succeed.

This issue was discovered by Kenichi Tsukamoto (Development Dept. II,
Application Management Middleware Div., FUJITSU LIMITED) and reported to
the Tomcat security team via JPCERT.


Mark Thomas
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Comment 1 Marc Schoenefeld 2008-10-15 09:22:11 EDT
Created attachment 320434 [details]
Patch draft for RequestFilterValve.java taken from source code diff tomcat 4.1.31 to 4.1.32 

The basic idea of this patch draft is to replace thread-unsafe RE objects with thread-safe REProgram objects and generate the RE object on the fly when needed to check.  

This source code diff still needs forward porting to tomcat 5.0.x
Comment 2 Fernando Nasser 2008-10-20 10:00:59 EDT
Have you shown this to Remy and Jean-Frederic?  What did they say?  Thanks.
Comment 7 Kurt Seifried 2011-09-30 16:44:17 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite (v. 5.0 for RHEL 4)
  Red Hat Network Satellite (v. 5.1 for RHEL 4)

Via RHSA-2008:1007 available at https://rhn.redhat.com/errata/RHSA-2008-1007.html

Note You need to log in before you can comment on or make changes to this bug.