333791 – (CVE-2007-5461) CVE-2007-5461 Absolute path traversal Apache Tomcat WEBDAV

Bug 333791 (CVE-2007-5461) - CVE-2007-5461 Absolute path traversal Apache Tomcat WEBDAV

Summary: CVE-2007-5461 Absolute path traversal Apache Tomcat WEBDAV

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-5461
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://archives.neohapsis.com/archive...
Whiteboard:
Depends On:	334511 334521 334531 334541 334551 334561 334571 334591 363001 428666 430730 430731 440521 445320 449337 470236 470237
Blocks:	444136
TreeView+	depends on / blocked

Reported:	2007-10-16 09:46 UTC by Marc Schoenefeld
Modified:	2019-09-29 12:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:	5.5.25-1jpp.1.fc8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-04-05 00:42:48 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0042	normal	SHIPPED_LIVE	Moderate: tomcat security update	2008-03-11 10:51:42 UTC
Red Hat Product Errata	RHSA-2008:0195	normal	SHIPPED_LIVE	Moderate: tomcat security update	2008-04-28 09:16:00 UTC
Red Hat Product Errata	RHSA-2008:0630	normal	SHIPPED_LIVE	Low: Red Hat Network Satellite Server security update	2008-08-13 14:55:17 UTC
Red Hat Product Errata	RHSA-2008:0862	normal	SHIPPED_LIVE	Important: tomcat security update	2008-10-02 14:03:32 UTC
Red Hat Product Errata	RHSA-2010:0602	normal	SHIPPED_LIVE	Moderate: Red Hat Certificate System 7.3 security update	2010-08-05 14:04:51 UTC

Description Marc Schoenefeld 2007-10-16 09:46:39 UTC

Description:

Absolute path traversal vulnerability in Apache Tomcat, under certain
configurations, allows remote authenticated users to read arbitrary
files via a WebDAV write request that specifies an entity with a
SYSTEM tag.

Mail from Mark Thomas (Apache.org): 

A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full disclosure yesterday, 14-Oct-2007.[1]

The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.

In order to be affected systems must have:
- one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- enabled write capability via webdav

Note:
- Tomcat 6.0.x has no webdav enabled contexts by default
- Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default

Systems with write-enabled webdav contexts are exposed to this
vulnerability which, for such systems, is critical.

Mitigations available are:
- Disable write access until a fixed version is available
- Limit write access to trusted users
- Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x

Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java	(working
copy)
@@ -252,6 +252,7 @@
         try {
             documentBuilderFactory =
DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder =
documentBuilderFactory.newDocumentBuilder();
         } catch(ParserConfigurationException e) {
             throw new ServletException

[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html

Comment 3 Marc Schoenefeld 2007-10-23 13:58:43 UTC

A working patch is available: 
http://people.apache.org/~markt/patches/2007-10-20-webdav.patch

Comment 5 Fedora Update System 2007-11-17 05:37:44 UTC

tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2010-08-04 21:31:27 UTC

This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html

Comment 11 Vincent Danen 2013-04-05 00:42:48 UTC

This has been addressed in the following Red Hat products:

JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS: RHSA-2008:0151
JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server: RHSA-2008:0213
Red Hat Application Server v2 4AS: RHSA-2008:0862
Red Hat Application Stack v1 for Enterprise Linux AS (v.4): RHSA-2008:0158
Red Hat Application Stack v2 for Enterprise Linux (v.5): RHSA-2008:0158
Red Hat Certificate System 7.3 for 4AS: RHSA-2010:0602
Red Hat Developer Suite v.3 (AS v.4): RHSA-2008:0195
Red Hat Enterprise Linux version 5: RHSA-2008:0042
Red Hat Network Satellite Server 5.0 (RHEL v.4 AS): RHSA-2008:0261
Red Hat Network Satellite Server 5.1 (RHEL v.4 AS): RHSA-2008:0630
Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS): RHSA-2008:0524
Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS): RHSA-2008:0524

Note You need to log in before you can comment on or make changes to this bug.