Bug 883634 (CVE-2012-3546) - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints
Summary: CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-3546
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 883702 883704 883705 883706 883707 883708 883709 883710 883711 883712 883713 883714 883715 892849 892851 892852 895771 896527 901352 903925 913034 913035 913036 915189 1014384
Blocks: 789173 835396 849517 883656 903405
TreeView+ depends on / blocked
 
Reported: 2012-12-05 03:24 UTC by Arun Babu Neelicattu
Modified: 2021-02-17 08:18 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-12 23:55:55 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBPAPP-10479 0 Major Closed CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints 2017-11-24 20:14:54 UTC
Red Hat Issue Tracker JBPAPP-10492 0 Major Resolved Patch required (EAP4) - CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints 2017-11-24 20:14:54 UTC
Red Hat Issue Tracker JBPAPP6-1690 0 Critical Closed CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints 2017-11-24 20:14:54 UTC
Red Hat Product Errata RHSA-2013:0004 0 normal SHIPPED_LIVE Important: tomcat6 security update 2013-01-04 03:54:37 UTC
Red Hat Product Errata RHSA-2013:0005 0 normal SHIPPED_LIVE Important: tomcat6 security update 2013-01-04 03:54:29 UTC
Red Hat Product Errata RHSA-2013:0146 0 normal SHIPPED_LIVE Important: jbossweb security update 2013-01-09 01:34:28 UTC
Red Hat Product Errata RHSA-2013:0147 0 normal SHIPPED_LIVE Important: jbossas security update 2013-01-09 01:34:16 UTC
Red Hat Product Errata RHSA-2013:0151 0 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 4.3 CP07 security update 2013-01-10 10:41:06 UTC
Red Hat Product Errata RHSA-2013:0157 0 normal SHIPPED_LIVE Important: tomcat6 security update 2013-01-15 01:43:49 UTC
Red Hat Product Errata RHSA-2013:0158 0 normal SHIPPED_LIVE Important: tomcat6 security update 2013-01-15 01:53:57 UTC
Red Hat Product Errata RHSA-2013:0162 0 normal SHIPPED_LIVE Important: JBoss Enterprise SOA Platform 4.2.0.CP05 and 4.3.0.CP05 update 2013-01-16 00:03:11 UTC
Red Hat Product Errata RHSA-2013:0163 0 normal SHIPPED_LIVE Important: jbossweb security update 2013-01-16 00:03:05 UTC
Red Hat Product Errata RHSA-2013:0164 0 normal SHIPPED_LIVE Important: jbossweb security update 2013-01-16 00:02:54 UTC
Red Hat Product Errata RHSA-2013:0191 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:30:08 UTC
Red Hat Product Errata RHSA-2013:0192 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:28:23 UTC
Red Hat Product Errata RHSA-2013:0193 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:42:29 UTC
Red Hat Product Errata RHSA-2013:0194 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:08:14 UTC
Red Hat Product Errata RHSA-2013:0195 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:41:24 UTC
Red Hat Product Errata RHSA-2013:0196 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:55:46 UTC
Red Hat Product Errata RHSA-2013:0197 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:54:22 UTC
Red Hat Product Errata RHSA-2013:0198 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-25 00:07:17 UTC
Red Hat Product Errata RHSA-2013:0221 0 normal SHIPPED_LIVE Important: JBoss Enterprise BRMS Platform 5.3.1 update 2013-02-01 01:23:18 UTC
Red Hat Product Errata RHSA-2013:0235 0 normal SHIPPED_LIVE Important: jbossweb security update 2013-02-05 04:42:22 UTC
Red Hat Product Errata RHSA-2013:0623 0 normal SHIPPED_LIVE Important: tomcat6 security update 2013-03-11 23:31:54 UTC
Red Hat Product Errata RHSA-2013:0640 0 normal SHIPPED_LIVE Important: tomcat5 security update 2013-03-12 22:07:47 UTC
Red Hat Product Errata RHSA-2013:0641 0 normal SHIPPED_LIVE Important: tomcat5 security update 2013-03-12 21:57:23 UTC
Red Hat Product Errata RHSA-2013:0642 0 normal SHIPPED_LIVE Important: tomcat5 security update 2013-03-12 21:57:18 UTC

Description Arun Babu Neelicattu 2012-12-05 03:24:29 UTC 
When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

Source: Tomcat security pages. [1,2]

[1] http://tomcat.apache.org/security-6.html
[2] http://tomcat.apache.org/security-7.html

Upstream commits:

http://svn.apache.org/viewvc?view=revision&revision=1381035
http://svn.apache.org/viewvc?view=revision&revision=1377892
Comment 4 David Jorm 2012-12-05 06:53:16 UTC 
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 883702]
Comment 5 David Jorm 2012-12-05 06:53:19 UTC 
Created tomcat tracking bugs for this issue

Affects: fedora-all [bug 883704]
Comment 17 Fedora Update System 2012-12-19 08:29:45 UTC 
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2013-01-03 22:55:29 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2013:0005 https://rhn.redhat.com/errata/RHSA-2013-0005.html
Comment 19 errata-xmlrpc 2013-01-03 22:56:04 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.0

Via RHSA-2013:0004 https://rhn.redhat.com/errata/RHSA-2013-0004.html
Comment 20 errata-xmlrpc 2013-01-08 20:35:32 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:0147 https://rhn.redhat.com/errata/RHSA-2013-0147.html
Comment 21 errata-xmlrpc 2013-01-08 20:36:06 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2013:0146 https://rhn.redhat.com/errata/RHSA-2013-0146.html
Comment 22 errata-xmlrpc 2013-01-10 05:42:12 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3.0 CP07

Via RHSA-2013:0151 https://rhn.redhat.com/errata/RHSA-2013-0151.html
Comment 23 errata-xmlrpc 2013-01-14 20:44:58 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0157 https://rhn.redhat.com/errata/RHSA-2013-0157.html
Comment 24 errata-xmlrpc 2013-01-14 20:54:23 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0158 https://rhn.redhat.com/errata/RHSA-2013-0158.html
Comment 25 errata-xmlrpc 2013-01-15 19:03:49 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6 for RHEL 5

Via RHSA-2013:0164 https://rhn.redhat.com/errata/RHSA-2013-0164.html
Comment 26 errata-xmlrpc 2013-01-15 19:03:54 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0163 https://rhn.redhat.com/errata/RHSA-2013-0163.html
Comment 27 errata-xmlrpc 2013-01-15 19:04:26 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 4.2.0.CP05 and 4.3.0.CP05

Via RHSA-2013:0162 https://rhn.redhat.com/errata/RHSA-2013-0162.html
Comment 28 errata-xmlrpc 2013-01-24 18:09:57 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 29 errata-xmlrpc 2013-01-24 18:32:47 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 30 errata-xmlrpc 2013-01-24 18:33:34 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 31 errata-xmlrpc 2013-01-24 18:45:49 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 32 errata-xmlrpc 2013-01-24 18:46:35 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 33 errata-xmlrpc 2013-01-24 18:58:52 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 34 errata-xmlrpc 2013-01-24 18:59:43 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 35 errata-xmlrpc 2013-01-24 19:08:44 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
Comment 36 errata-xmlrpc 2013-01-31 20:31:44 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html
Comment 37 errata-xmlrpc 2013-02-04 23:43:56 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2
  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2013:0235 https://rhn.redhat.com/errata/RHSA-2013-0235.html
Comment 39 David Jorm 2013-02-20 09:32:12 UTC 
Statement:

Tomcat 5.5 has reached the end of its supported upstream life-cycle, and the Apache Tomcat project no longer tests security flaws to determine whether they affect Tomcat 5.5. Red Hat has tested tomcat 5.5 as shipped with Red Hat Enterprise Linux 5 and JBoss Enterprise Web Server 1, and found that it is affected by this flaw. Patches for tomcat 5.5 to address this flaw have been  provided.
Comment 40 errata-xmlrpc 2013-03-11 19:33:46 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0623 https://rhn.redhat.com/errata/RHSA-2013-0623.html
Comment 41 errata-xmlrpc 2013-03-12 17:57:54 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0642 https://rhn.redhat.com/errata/RHSA-2013-0642.html
Comment 42 errata-xmlrpc 2013-03-12 17:58:03 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0641 https://rhn.redhat.com/errata/RHSA-2013-0641.html
Comment 43 errata-xmlrpc 2013-03-12 18:08:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0640 https://rhn.redhat.com/errata/RHSA-2013-0640.html
Note You need to log in before you can comment on or make changes to this bug.