Description: Absolute path traversal vulnerability in Apache Tomcat, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. Mail from Mark Thomas (Apache.org): A vulnerability in the Apache Tomcat webdav servlet was publicly disclosed on full disclosure yesterday, 14-Oct-2007.[1] The Tomcat security team has evaluated this vulnerability and determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x and not affected. In order to be affected systems must have: - one or more contexts configured for webdav using Tomcat's built-in webdav implementation - enabled write capability via webdav Note: - Tomcat 6.0.x has no webdav enabled contexts by default - Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context (/webdav) by default Systems with write-enabled webdav contexts are exposed to this vulnerability which, for such systems, is critical. Mitigations available are: - Disable write access until a fixed version is available - Limit write access to trusted users - Apply the following patch which will be included in the next releases of 6.0.x, 5.5.x and 4.1.x Index: src/share/org/apache/catalina/servlets/WebdavServlet.java =================================================================== --- src/share/org/apache/catalina/servlets/WebdavServlet.java (revision 584648) +++ src/share/org/apache/catalina/servlets/WebdavServlet.java (working copy) @@ -252,6 +252,7 @@ try { documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); + documentBuilderFactory.setExpandEntityReferences(false); documentBuilder = documentBuilderFactory.newDocumentBuilder(); } catch(ParserConfigurationException e) { throw new ServletException [1] http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html
A working patch is available: http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
This has been addressed in the following Red Hat products: JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS: RHSA-2008:0151 JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server: RHSA-2008:0213 Red Hat Application Server v2 4AS: RHSA-2008:0862 Red Hat Application Stack v1 for Enterprise Linux AS (v.4): RHSA-2008:0158 Red Hat Application Stack v2 for Enterprise Linux (v.5): RHSA-2008:0158 Red Hat Certificate System 7.3 for 4AS: RHSA-2010:0602 Red Hat Developer Suite v.3 (AS v.4): RHSA-2008:0195 Red Hat Enterprise Linux version 5: RHSA-2008:0042 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS): RHSA-2008:0261 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS): RHSA-2008:0630 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS): RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS): RHSA-2008:0524