Bug 585331 (CVE-2010-1157) - CVE-2010-1157 tomcat: information disclosure in authentication headers
Summary: CVE-2010-1157 tomcat: information disclosure in authentication headers
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2010-1157
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 585369 585370 606822
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-23 18:03 UTC by Vincent Danen
Modified: 2021-02-24 23:15 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-13 09:43:22 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0584 0 normal SHIPPED_LIVE Important: jbossweb security update 2010-08-02 20:18:02 UTC
Red Hat Product Errata RHSA-2011:0896 0 normal SHIPPED_LIVE Moderate: JBoss Enterprise Web Server 1.0.2 update 2011-06-22 23:16:28 UTC
Red Hat Product Errata RHSA-2011:0897 0 normal SHIPPED_LIVE Moderate: JBoss Enterprise Web Server 1.0.2 update 2011-06-22 23:38:13 UTC

Internal Links: 606822

Description Vincent Danen 2010-04-23 18:03:34 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1157 to
the following vulnerability:

Name: CVE-2010-1157
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
Assigned: 20100329
Reference: BUGTRAQ:20100421 [SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/510879/100/0/threaded
Reference: CONFIRM: http://tomcat.apache.org/security-5.html
Reference: CONFIRM: http://tomcat.apache.org/security-6.html

Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might
allow remote attackers to discover the server's hostname or IP address
by sending a request for a resource that requires (1) BASIC or (2)
DIGEST authentication, and then reading the realm field in the
WWW-Authenticate header in the reply.


Upstream fixes are available for tomcat5 [1] and tomcat6 [2].

[1] http://svn.apache.org/viewvc?view=revision&revision=936541
[2] http://svn.apache.org/viewvc?view=revision&revision=936540

Comment 1 Vincent Danen 2010-04-23 19:57:20 UTC
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [#585369]

Comment 2 Vincent Danen 2010-04-23 19:57:22 UTC
Created tomcat5 tracking bugs for this issue

Affects: fedora-all [#585370]

Comment 5 Vincent Danen 2010-07-09 15:45:54 UTC
This was corrected upstream via the tomcat 6.0.28 release:

http://tomcat.apache.org/security-6.html

And tomcat 5.5.30:

http://tomcat.apache.org/security-5.html

Comment 6 Tomas Hoger 2010-07-09 20:38:27 UTC
I wonder if we should backport this patch.  Information leak is limited to request host name/ip and port and hence is only relevant to setups where requests are proxied to internal tomcat instance(s) from publicly-accessible host.  Leak can be avoided by configuring <realm-name> in login configuration properly.  This should already be done in deployments where such leak would matter.  The patch does not seem to offer an easy way back to current behaviour where request host:port is used as default realm for deployments where that behaviour is expected and possibly relied on.

Comment 7 Tomas Hoger 2010-07-13 09:43:22 UTC
This issue has fairly limited impact and can be avoided with proper configuration.  The upstream patch changes the default realm name generated by Tomcat.  As the original default may be expected in some deployments, there is no plan to backport a fix for this issue to the Tomcat versions included in already-released product versions.  Future product versions providing tomcat packages based on an upstream version containing this patch may offer a new default value.

For current deployments, the information leak can be avoided by making sure all configurations using HTTP BASIC or DIGEST authentication have a realm configured in the login-config section of web.xml.  Adding the following to all login-config sections that do not define a realm is equivalent to applying the upstream patch:

  <realm-name>Authentication required</realm-name>

Configurations that already have a realm-name specified are not affected by this issue.

Statement:

The risks associated with fixing this flaw are greater than the low severity security risk. We therefore have no plans to fix this flaw. The information leak can be avoided by adjusting the configuration to always specify a realm-name.

Comment 8 errata-xmlrpc 2010-08-02 20:18:09 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.2.0 for RHEL 5
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0584 https://rhn.redhat.com/errata/RHSA-2010-0584.html

Comment 9 errata-xmlrpc 2011-06-22 23:18:02 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html

Comment 10 errata-xmlrpc 2011-06-22 23:39:26 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4
  JBEWS 1 for RHEL 6

Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html


Note You need to log in before you can comment on or make changes to this bug.