Bug 883636 (CVE-2012-4431) - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter
Summary: CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4431
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 883675 883676 883677 883678 883680 883681 883682 883683 883684 883685 883686 883687 901240 909058 909063 912962 921794 921795 921798
Blocks: 883657 906153 956239 970481
TreeView+ depends on / blocked
 
Reported: 2012-12-05 03:28 UTC by Arun Babu Neelicattu
Modified: 2021-02-17 08:18 UTC (History)
6 users (show)

Fixed In Version: Apache Tomcat 7.0.32, Apache Tomcat 6.0.36
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-18 00:59:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0265 0 normal SHIPPED_LIVE Moderate: tomcat6 security update 2013-02-20 01:29:31 UTC
Red Hat Product Errata RHSA-2013:0266 0 normal SHIPPED_LIVE Moderate: tomcat6 security update 2013-02-20 03:12:56 UTC
Red Hat Product Errata RHSA-2013:0267 0 normal SHIPPED_LIVE Moderate: tomcat7 security update 2013-02-20 03:12:51 UTC
Red Hat Product Errata RHSA-2013:0268 0 normal SHIPPED_LIVE Moderate: tomcat7 security update 2013-02-20 03:12:44 UTC
Red Hat Product Errata RHSA-2013:0647 0 normal SHIPPED_LIVE Moderate: jbossweb security update 2013-03-14 20:48:21 UTC
Red Hat Product Errata RHSA-2013:0648 0 normal SHIPPED_LIVE Moderate: jbossweb security update 2013-03-14 20:48:16 UTC
Red Hat Product Errata RHSA-2013:0665 0 normal SHIPPED_LIVE Important: JBoss Data Grid 6.1.0 update 2013-03-20 19:58:45 UTC
Red Hat Product Errata RHSA-2013:1437 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.1.0 update 2013-10-16 20:53:32 UTC
Red Hat Product Errata RHSA-2013:1853 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.2.0 update 2013-12-17 23:36:29 UTC

Description Arun Babu Neelicattu 2012-12-05 03:28:01 UTC 
The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.

Source: Tomcat security pages. [1,2]

[1] http://tomcat.apache.org/security-6.html
[2] http://tomcat.apache.org/security-7.html
Comment 8 Fedora Update System 2012-12-19 08:29:35 UTC 
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 David Jorm 2013-02-13 05:10:13 UTC 
The CSRF prevention filter was introduced in tomcat 6.0.30, as noted in the changelog:

http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Red Hat Enterprise Linux 6 ships tomcat 6.0.24, and does not include the CSRF prevention filter. Therefore it is not affected by this flaw.
Comment 12 Vincent Danen 2013-02-13 23:20:09 UTC 
External References:

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.32

Statement:

This issue did not affect the versions of tomcat5 as shipped with Red Hat Enterprise Linux 5 and tomcat6 as shipped with Red Hat Enterprise Linux 6 as they did not include the CSRF prevention filter.
Comment 13 errata-xmlrpc 2013-02-19 20:30:55 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.0

Via RHSA-2013:0265 https://rhn.redhat.com/errata/RHSA-2013-0265.html
Comment 14 errata-xmlrpc 2013-02-19 22:14:06 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2013:0268 https://rhn.redhat.com/errata/RHSA-2013-0268.html
Comment 15 errata-xmlrpc 2013-02-19 22:14:13 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.0

Via RHSA-2013:0267 https://rhn.redhat.com/errata/RHSA-2013-0267.html
Comment 16 errata-xmlrpc 2013-02-19 22:15:07 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2013:0266 https://rhn.redhat.com/errata/RHSA-2013-0266.html
Comment 18 errata-xmlrpc 2013-03-14 16:49:22 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0648 https://rhn.redhat.com/errata/RHSA-2013-0648.html
Comment 19 errata-xmlrpc 2013-03-14 16:50:09 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6 for RHEL 6

Via RHSA-2013:0647 https://rhn.redhat.com/errata/RHSA-2013-0647.html
Comment 21 errata-xmlrpc 2013-03-20 15:59:35 UTC 
This issue has been addressed in following products:

  JBoss Data Grid 6.1.0

Via RHSA-2013:0665 https://rhn.redhat.com/errata/RHSA-2013-0665.html
Comment 22 errata-xmlrpc 2013-10-16 16:55:54 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
Comment 23 errata-xmlrpc 2013-12-17 18:37:55 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.0

Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
Note You need to log in before you can comment on or make changes to this bug.