466875 – (CVE-2008-3271) CVE-2008-3271 tomcat RemoteFilterValve Information disclosure

Bug 466875 (CVE-2008-3271) - CVE-2008-3271 tomcat RemoteFilterValve Information disclosure

Summary: CVE-2008-3271 tomcat RemoteFilterValve Information disclosure

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3271
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	468344 468345 468346 468348 470238 470239
Blocks:
TreeView+	depends on / blocked

Reported:	2008-10-14 10:30 UTC by Marc Schoenefeld
Modified:	2019-09-29 12:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-30 20:44:17 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:1007	0	normal	SHIPPED_LIVE	Low: tomcat security update for Red Hat Network Satellite Server	2008-12-08 09:02:54 UTC

Description Marc Schoenefeld 2008-10-14 10:30:42 UTC

List:       bugtraq
Subject:    [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure
From:       Mark Thomas <markt () apache ! org>
Date:       2008-10-09 22:46:19
Message-ID: 48EE89BB.3000203 () apache ! org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-3271: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.31
Tomcat 5.5.0
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.

Mitigation:
Upgrade to:
4.1.32 or later
5.5.1 or later
6.0.0 or later

Example:
This has only been reproduced using a debugger to force a particular
processing sequence across two threads.

    1. Set a breakpoint right after the place where a value
       is to be entered in the instance variable of regexp
       (search:org.apache.regexp.CharacterIterator).

    2. Send a request from the IP address* which is not permitted.
       (stopped at the breakpoint)

       *About the IP address which is not permitted.
       The character strings length of the IP address which is set
       in RemoteAddrValve must be same.

    3. Send a request from the IP address which was set in
       RemoteAddrValve.
       (stopped at the breakpoint)
       In this way, the instance variable is to be overwritten here.

    4. Resume the thread which is processing the step 2 above.

    5. The request from the not permitted IP address will succeed.

Credit:
This issue was discovered by Kenichi Tsukamoto (Development Dept. II,
Application Management Middleware Div., FUJITSU LIMITED) and reported to
the Tomcat security team via JPCERT.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt
OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj
=9Z/F
-----END PGP SIGNATURE-----

Comment 1 Marc Schoenefeld 2008-10-15 13:22:11 UTC

Created attachment 320434 [details]
Patch draft for RequestFilterValve.java taken from source code diff tomcat 4.1.31 to 4.1.32 

The basic idea of this patch draft is to replace thread-unsafe RE objects with thread-safe REProgram objects and generate the RE object on the fly when needed to check.  

This source code diff still needs forward porting to tomcat 5.0.x

Comment 2 Fernando Nasser 2008-10-20 14:00:59 UTC

Have you shown this to Remy and Jean-Frederic?  What did they say?  Thanks.

Comment 7 Kurt Seifried 2011-09-30 20:44:17 UTC

This issue has been addressed in following products:

  Red Hat Network Satellite (v. 5.0 for RHEL 4)
  Red Hat Network Satellite (v. 5.1 for RHEL 4)

Via RHSA-2008:1007 available at https://rhn.redhat.com/errata/RHSA-2008-1007.html

Note You need to log in before you can comment on or make changes to this bug.