Bug 883634 - (CVE-2012-3546) CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints
CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20121204,repo...
: Security
Depends On: 883702 883704 883705 883706 883707 883708 883709 883710 883711 883712 883713 883714 883715 892849 892851 892852 895771 896527 901352 903925 913034 913035 913036 915189 1014384
Blocks: 789173 835396 849517 883656 903405
  Show dependency treegraph
 
Reported: 2012-12-04 22:24 EST by Arun Babu Neelicattu
Modified: 2015-02-15 16:51 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-12 19:55:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBPAPP-10479 Major Closed CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints 2016-03-18 08:56 EDT
JBoss Issue Tracker JBPAPP-10492 Major Resolved Patch required (EAP4) - CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints 2016-03-18 08:56 EDT
JBoss Issue Tracker JBPAPP6-1690 Critical Closed CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints 2016-03-18 08:56 EDT

  None (edit)
Description Arun Babu Neelicattu 2012-12-04 22:24:29 EST
When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

Source: Tomcat security pages. [1,2]

[1] http://tomcat.apache.org/security-6.html
[2] http://tomcat.apache.org/security-7.html

Upstream commits:

http://svn.apache.org/viewvc?view=revision&revision=1381035
http://svn.apache.org/viewvc?view=revision&revision=1377892
Comment 4 David Jorm 2012-12-05 01:53:16 EST
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 883702]
Comment 5 David Jorm 2012-12-05 01:53:19 EST
Created tomcat tracking bugs for this issue

Affects: fedora-all [bug 883704]
Comment 17 Fedora Update System 2012-12-19 03:29:45 EST
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2013-01-03 17:55:29 EST
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2013:0005 https://rhn.redhat.com/errata/RHSA-2013-0005.html
Comment 19 errata-xmlrpc 2013-01-03 17:56:04 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.0

Via RHSA-2013:0004 https://rhn.redhat.com/errata/RHSA-2013-0004.html
Comment 20 errata-xmlrpc 2013-01-08 15:35:32 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:0147 https://rhn.redhat.com/errata/RHSA-2013-0147.html
Comment 21 errata-xmlrpc 2013-01-08 15:36:06 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2013:0146 https://rhn.redhat.com/errata/RHSA-2013-0146.html
Comment 22 errata-xmlrpc 2013-01-10 00:42:12 EST
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3.0 CP07

Via RHSA-2013:0151 https://rhn.redhat.com/errata/RHSA-2013-0151.html
Comment 23 errata-xmlrpc 2013-01-14 15:44:58 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0157 https://rhn.redhat.com/errata/RHSA-2013-0157.html
Comment 24 errata-xmlrpc 2013-01-14 15:54:23 EST
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0158 https://rhn.redhat.com/errata/RHSA-2013-0158.html
Comment 25 errata-xmlrpc 2013-01-15 14:03:49 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6 for RHEL 5

Via RHSA-2013:0164 https://rhn.redhat.com/errata/RHSA-2013-0164.html
Comment 26 errata-xmlrpc 2013-01-15 14:03:54 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0163 https://rhn.redhat.com/errata/RHSA-2013-0163.html
Comment 27 errata-xmlrpc 2013-01-15 14:04:26 EST
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 4.2.0.CP05 and 4.3.0.CP05

Via RHSA-2013:0162 https://rhn.redhat.com/errata/RHSA-2013-0162.html
Comment 28 errata-xmlrpc 2013-01-24 13:09:57 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
Comment 29 errata-xmlrpc 2013-01-24 13:32:47 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
Comment 30 errata-xmlrpc 2013-01-24 13:33:34 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
Comment 31 errata-xmlrpc 2013-01-24 13:45:49 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
Comment 32 errata-xmlrpc 2013-01-24 13:46:35 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
Comment 33 errata-xmlrpc 2013-01-24 13:58:52 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
Comment 34 errata-xmlrpc 2013-01-24 13:59:43 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
Comment 35 errata-xmlrpc 2013-01-24 14:08:44 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html
Comment 36 errata-xmlrpc 2013-01-31 15:31:44 EST
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html
Comment 37 errata-xmlrpc 2013-02-04 18:43:56 EST
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2
  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2013:0235 https://rhn.redhat.com/errata/RHSA-2013-0235.html
Comment 39 David Jorm 2013-02-20 04:32:12 EST
Statement:

Tomcat 5.5 has reached the end of its supported upstream life-cycle, and the Apache Tomcat project no longer tests security flaws to determine whether they affect Tomcat 5.5. Red Hat has tested tomcat 5.5 as shipped with Red Hat Enterprise Linux 5 and JBoss Enterprise Web Server 1, and found that it is affected by this flaw. Patches for tomcat 5.5 to address this flaw have been  provided.
Comment 40 errata-xmlrpc 2013-03-11 15:33:46 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0623 https://rhn.redhat.com/errata/RHSA-2013-0623.html
Comment 41 errata-xmlrpc 2013-03-12 13:57:54 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2013:0642 https://rhn.redhat.com/errata/RHSA-2013-0642.html
Comment 42 errata-xmlrpc 2013-03-12 13:58:03 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2013:0641 https://rhn.redhat.com/errata/RHSA-2013-0641.html
Comment 43 errata-xmlrpc 2013-03-12 14:08:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0640 https://rhn.redhat.com/errata/RHSA-2013-0640.html

Note You need to log in before you can comment on or make changes to this bug.