Bug 427216 (CVE-2007-5342) - CVE-2007-5342 Apache Tomcat's default security policy is too open
Summary: CVE-2007-5342 Apache Tomcat's default security policy is too open
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5342
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.securityfocus.com/archive/...
Whiteboard:
Depends On: 427776 427777 428668 435919
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-02 10:28 UTC by Marc Schoenefeld
Modified: 2019-09-29 12:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-22 22:36:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0042 normal SHIPPED_LIVE Moderate: tomcat security update 2008-03-11 10:51:42 UTC
Red Hat Product Errata RHSA-2008:0195 normal SHIPPED_LIVE Moderate: tomcat security update 2008-04-28 09:16:00 UTC
Red Hat Product Errata RHSA-2008:0831 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 4.3.0CP02 security update 2008-09-22 13:02:33 UTC
Red Hat Product Errata RHSA-2008:0832 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 4.3.0CP02 security update 2008-09-22 13:27:27 UTC
Red Hat Product Errata RHSA-2008:0833 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 4.2.0CP04 security update 2008-09-22 12:50:41 UTC
Red Hat Product Errata RHSA-2008:0834 normal SHIPPED_LIVE Low: JBoss Enterprise Application Platform 4.2.0CP04 security update 2008-09-22 13:15:32 UTC
Red Hat Product Errata RHSA-2008:0862 normal SHIPPED_LIVE Important: tomcat security update 2008-10-02 14:03:32 UTC

Description Marc Schoenefeld 2008-01-02 10:28:10 UTC
Generally it is a bad idea to grant java.security.AllPermission 
in java security policy files. This is the case for 
the tomcat-juli.jar, part of the logging framework
for Apache Tomcat.

CVE description from Mitre: 

The default catalina.policy in the JULI logging component in Apache
Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict
certain permissions for web applications, which allows attackers to
modify logging configuration options and overwrite arbitrary files, as
demonstrated by changing the (1) level, (2) directory, and (3) prefix
attributes in the org.apache.juli.FileHandler handler.


http://www.securityfocus.com/archive/1/archive/1/485481/100/0/threaded
http://svn.apache.org/viewvc?view=rev&revision=606594

Comment 3 Fedora Update System 2008-02-09 00:31:46 UTC
tomcat5-5.5.26-1jpp.1.fc7 has been submitted as an update for Fedora 7

Comment 4 Fedora Update System 2008-02-09 00:34:58 UTC
tomcat5-5.5.26-1jpp.1.fc8 has been submitted as an update for Fedora 8

Comment 5 Fedora Update System 2008-02-12 20:31:55 UTC
tomcat5-5.5.26-1jpp.2.fc8 has been submitted as an update for Fedora 8

Comment 6 Fedora Update System 2008-02-12 20:34:09 UTC
tomcat5-5.5.26-1jpp.2.fc7 has been submitted as an update for Fedora 7

Comment 7 Fedora Update System 2008-02-13 04:54:31 UTC
tomcat5-5.5.26-1jpp.2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-02-13 05:13:59 UTC
tomcat5-5.5.26-1jpp.2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Vincent Danen 2010-12-22 22:36:50 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0042)
Red Hat Developer Suite v.3 (AS v.4) (RHSA-2008:0195)
JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (RHSA-2008:0831)
JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (RHSA-2008:0832)
JBoss Enterprise Application Platform for RHEL 4 AS (RHSA-2008:0833)
JBoss Enterprise Application Platform for RHEL 5 Server (RHSA-2008:0834)
Red Hat Application Server v2 4AS (RHSA-2008:0862)


Note You need to log in before you can comment on or make changes to this bug.