Bug 734868 - (CVE-2011-3190) CVE-2011-3190 tomcat: authentication bypass and information disclosure
CVE-2011-3190 tomcat: authentication bypass and information disclosure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110820,reported=20110829,sou...
: Security
Depends On: 738501 738502 738503 738504 738505 738506 738507
Blocks: 734869
  Show dependency treegraph
 
Reported: 2011-08-31 13:06 EDT by Vincent Danen
Modified: 2012-05-22 21:44 EDT (History)
22 users (show)

See Also:
Fixed In Version: tomcat 5.5.34
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-22 21:44:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-08-31 13:06:17 EDT
It was reported that Apache Tomcat was vulnerable to an authentication bypass and information disclosure flaw.

Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have full control over the AJP message permitting authentication bypass and information disclosure. This vulnerability only occurs when all of the following are true:

* The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
* POST requests are accepted
* The request body is not processed

This flaw will be corrected in Tomcat 5.5.34 (svn r1162960 [1]) and Tomcat 6.0.34 (svn r1162959 [2]).

[1] http://svn.apache.org/viewvc?rev=1162960&view=rev
[2] http://svn.apache.org/viewvc?rev=1162959&view=rev
Comment 1 David Jorm 2011-09-12 10:01:27 EDT
Tomcat 5 as shipped with Red Hat Enterprise Linux 5 and tomcat 6 as shipped with Red Hat Enterprise Linux 6 are not affected by this flaw when using the default connector configuration. If tomcat native components (APR) are not present, tomcat 5 and 6 will failover to using the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector, which is not vulnerable.
Comment 2 David Jorm 2011-09-14 03:29:26 EDT
There are three different AJP connectors shipped with Red Hat products:
org.apache.coyote.ajp.AjpProcessor (Coyote)
org.apache.jk.server.JkCoyoteHandler (JK)
org.apache.coyote.ajp.AjpAprProcessor (APR)

APR is only provided as part of tomcat-native, which is not shipped with Red Hat Enterprise Linux 5 and 6. This flaw affects major Red Hat products as follows:

Tomcat 5 (RHEL 5): Coyote not available, JK not affected. Product not affected.

Tomcat 5 (EWS 1): Coyote not available, JK not affected, APR affected. Product affected. Customers only affected if using tomcat-native.

Tomcat 6 (RHEL 6): Coyote affected. JK not affected. Product affected. Customers  only affected if using Coyote, which is not the default and needs to be manually configured.

Tomcat 6 (EWS 1): Coyote affected, JK not affected, APR affected. Product affected.

JBoss Web: All products using JBoss Web are not affected. A patch made back in 2008 mitigated this vulnerability. Patch documented here:
https://issues.jboss.org/browse/JBWEB-117
Commit diff here:
http://source.jboss.org/changelog/JBossWeb/?cs=770
Comment 3 David Knox 2011-09-14 11:41:10 EDT
Next on the list.
Comment 8 David Jorm 2011-09-14 22:34:13 EDT
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 738502]
Comment 9 David Jorm 2011-09-14 22:34:19 EDT
Created tomcat5 tracking bugs for this issue

Affects: fedora-all [bug 738501]
Comment 12 Jan Lieskovsky 2011-09-22 08:21:53 EDT
Updated mitigation options for Tomcat-5 from upstream:
======================================================

Mitigation options:

1) Upgrade to Tomcat 5.5.34.
2) Apply the appropriate patch.
3) Configure both Tomcat and the reverse proxy to use a shared secret.
   (It is "request.secret" attribute in AJP <Connector>,
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module
   currently does not support shared secrets).
4) Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
   implementation.
   (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector
   protocol="org.apache.jk.server.JkCoyoteHandler">).

Relevant patch mentioned in point 2):
http://svn.apache.org/viewvc?view=rev&rev=1162960

Updated mitigation options for Tomcat-6 from upstream:
======================================================

Mitigation options:

1) Upgrade to Tomcat 6.0.34.
2) Apply the appropriate patch.
3) Configure both Tomcat and the reverse proxy to use a shared secret.
   (It is "request.secret" attribute in AJP <Connector>, 
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp
   module currently does not support shared secrets).
4) Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
   implementation.
   (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector 
   protocol="org.apache.jk.server.JkCoyoteHandler">).

Relevant patch mentioned in point 2):
http://svn.apache.org/viewvc?view=rev&rev=1162959
Comment 13 errata-xmlrpc 2011-12-05 12:49:06 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1780 https://rhn.redhat.com/errata/RHSA-2011-1780.html
Comment 23 Coty Sutherland 2012-05-01 12:43:43 EDT
Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?
Comment 24 David Jorm 2012-05-01 19:59:32 EDT
(In reply to comment #23)
> Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?

An erratum for EWS 1.0.2 is in progress. It is currently awaiting QE.
Comment 25 errata-xmlrpc 2012-05-21 12:32:14 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html
Comment 26 errata-xmlrpc 2012-05-21 12:33:47 EDT
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html
Comment 27 errata-xmlrpc 2012-05-21 12:41:22 EDT
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html
Comment 28 errata-xmlrpc 2012-05-21 12:49:44 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html

Note You need to log in before you can comment on or make changes to this bug.