Red Hat Bugzilla – Bug 585331
CVE-2010-1157 tomcat: information disclosure in authentication headers
Last modified: 2012-08-27 11:57:32 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1157 to the following vulnerability: Name: CVE-2010-1157 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157 Assigned: 20100329 Reference: BUGTRAQ:20100421 [SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability Reference: URL: http://www.securityfocus.com/archive/1/archive/1/510879/100/0/threaded Reference: CONFIRM: http://tomcat.apache.org/security-5.html Reference: CONFIRM: http://tomcat.apache.org/security-6.html Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. Upstream fixes are available for tomcat5 [1] and tomcat6 [2]. [1] http://svn.apache.org/viewvc?view=revision&revision=936541 [2] http://svn.apache.org/viewvc?view=revision&revision=936540
Created tomcat6 tracking bugs for this issue Affects: fedora-all [#585369]
Created tomcat5 tracking bugs for this issue Affects: fedora-all [#585370]
This was corrected upstream via the tomcat 6.0.28 release: http://tomcat.apache.org/security-6.html And tomcat 5.5.30: http://tomcat.apache.org/security-5.html
I wonder if we should backport this patch. Information leak is limited to request host name/ip and port and hence is only relevant to setups where requests are proxied to internal tomcat instance(s) from publicly-accessible host. Leak can be avoided by configuring <realm-name> in login configuration properly. This should already be done in deployments where such leak would matter. The patch does not seem to offer an easy way back to current behaviour where request host:port is used as default realm for deployments where that behaviour is expected and possibly relied on.
This issue has fairly limited impact and can be avoided with proper configuration. The upstream patch changes the default realm name generated by Tomcat. As the original default may be expected in some deployments, there is no plan to backport a fix for this issue to the Tomcat versions included in already-released product versions. Future product versions providing tomcat packages based on an upstream version containing this patch may offer a new default value. For current deployments, the information leak can be avoided by making sure all configurations using HTTP BASIC or DIGEST authentication have a realm configured in the login-config section of web.xml. Adding the following to all login-config sections that do not define a realm is equivalent to applying the upstream patch: <realm-name>Authentication required</realm-name> Configurations that already have a realm-name specified are not affected by this issue. Statement: The risks associated with fixing this flaw are greater than the low severity security risk. We therefore have no plans to fix this flaw. The information leak can be avoided by adjusting the configuration to always specify a realm-name.
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 JBEAP 4.3.0 for RHEL 4 JBEAP 4.2.0 for RHEL 5 JBEAP 4.3.0 for RHEL 5 Via RHSA-2010:0584 https://rhn.redhat.com/errata/RHSA-2010-0584.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 4 JBEWS 1 for RHEL 6 Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html