Bug 734868 (CVE-2011-3190) - CVE-2011-3190 tomcat: authentication bypass and information disclosure
Summary: CVE-2011-3190 tomcat: authentication bypass and information disclosure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-3190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 738501 738502 738503 738504 738505 738506 738507
Blocks: 734869
TreeView+ depends on / blocked
 
Reported: 2011-08-31 17:06 UTC by Vincent Danen
Modified: 2019-09-29 12:47 UTC (History)
22 users (show)

Fixed In Version: tomcat 5.5.34
Clone Of:
Environment:
Last Closed: 2012-05-23 01:44:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1780 0 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2011-12-05 22:46:42 UTC
Red Hat Product Errata RHSA-2012:0679 0 normal SHIPPED_LIVE Moderate: tomcat5 security and bug fix update 2012-05-21 20:28:06 UTC
Red Hat Product Errata RHSA-2012:0680 0 normal SHIPPED_LIVE Moderate: tomcat5 security and bug fix update 2012-05-21 20:27:56 UTC
Red Hat Product Errata RHSA-2012:0681 0 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2012-05-21 20:38:23 UTC
Red Hat Product Errata RHSA-2012:0682 0 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2012-05-21 20:48:57 UTC

Description Vincent Danen 2011-08-31 17:06:17 UTC 
It was reported that Apache Tomcat was vulnerable to an authentication bypass and information disclosure flaw.

Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have full control over the AJP message permitting authentication bypass and information disclosure. This vulnerability only occurs when all of the following are true:

* The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
* POST requests are accepted
* The request body is not processed

This flaw will be corrected in Tomcat 5.5.34 (svn r1162960 [1]) and Tomcat 6.0.34 (svn r1162959 [2]).

[1] http://svn.apache.org/viewvc?rev=1162960&view=rev
[2] http://svn.apache.org/viewvc?rev=1162959&view=rev
Comment 1 David Jorm 2011-09-12 14:01:27 UTC 
Tomcat 5 as shipped with Red Hat Enterprise Linux 5 and tomcat 6 as shipped with Red Hat Enterprise Linux 6 are not affected by this flaw when using the default connector configuration. If tomcat native components (APR) are not present, tomcat 5 and 6 will failover to using the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector, which is not vulnerable.
Comment 2 David Jorm 2011-09-14 07:29:26 UTC 
There are three different AJP connectors shipped with Red Hat products:
org.apache.coyote.ajp.AjpProcessor (Coyote)
org.apache.jk.server.JkCoyoteHandler (JK)
org.apache.coyote.ajp.AjpAprProcessor (APR)

APR is only provided as part of tomcat-native, which is not shipped with Red Hat Enterprise Linux 5 and 6. This flaw affects major Red Hat products as follows:

Tomcat 5 (RHEL 5): Coyote not available, JK not affected. Product not affected.

Tomcat 5 (EWS 1): Coyote not available, JK not affected, APR affected. Product affected. Customers only affected if using tomcat-native.

Tomcat 6 (RHEL 6): Coyote affected. JK not affected. Product affected. Customers  only affected if using Coyote, which is not the default and needs to be manually configured.

Tomcat 6 (EWS 1): Coyote affected, JK not affected, APR affected. Product affected.

JBoss Web: All products using JBoss Web are not affected. A patch made back in 2008 mitigated this vulnerability. Patch documented here:
https://issues.jboss.org/browse/JBWEB-117
Commit diff here:
http://source.jboss.org/changelog/JBossWeb/?cs=770
Comment 3 David Knox 2011-09-14 15:41:10 UTC 
Next on the list.
Comment 8 David Jorm 2011-09-15 02:34:13 UTC 
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 738502]
Comment 9 David Jorm 2011-09-15 02:34:19 UTC 
Created tomcat5 tracking bugs for this issue

Affects: fedora-all [bug 738501]
Comment 12 Jan Lieskovsky 2011-09-22 12:21:53 UTC 
Updated mitigation options for Tomcat-5 from upstream:
======================================================

Mitigation options:

1) Upgrade to Tomcat 5.5.34.
2) Apply the appropriate patch.
3) Configure both Tomcat and the reverse proxy to use a shared secret.
   (It is "request.secret" attribute in AJP <Connector>,
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module
   currently does not support shared secrets).
4) Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
   implementation.
   (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector
   protocol="org.apache.jk.server.JkCoyoteHandler">).

Relevant patch mentioned in point 2):
http://svn.apache.org/viewvc?view=rev&rev=1162960

Updated mitigation options for Tomcat-6 from upstream:
======================================================

Mitigation options:

1) Upgrade to Tomcat 6.0.34.
2) Apply the appropriate patch.
3) Configure both Tomcat and the reverse proxy to use a shared secret.
   (It is "request.secret" attribute in AJP <Connector>, 
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp
   module currently does not support shared secrets).
4) Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
   implementation.
   (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector 
   protocol="org.apache.jk.server.JkCoyoteHandler">).

Relevant patch mentioned in point 2):
http://svn.apache.org/viewvc?view=rev&rev=1162959
Comment 13 errata-xmlrpc 2011-12-05 17:49:06 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1780 https://rhn.redhat.com/errata/RHSA-2011-1780.html
Comment 23 Coty Sutherland 2012-05-01 16:43:43 UTC 
Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?
Comment 24 David Jorm 2012-05-01 23:59:32 UTC 
(In reply to comment #23)
> Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?

An erratum for EWS 1.0.2 is in progress. It is currently awaiting QE.
Comment 25 errata-xmlrpc 2012-05-21 16:32:14 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html
Comment 26 errata-xmlrpc 2012-05-21 16:33:47 UTC 
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html
Comment 27 errata-xmlrpc 2012-05-21 16:41:22 UTC 
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html
Comment 28 errata-xmlrpc 2012-05-21 16:49:44 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html
Note You need to log in before you can comment on or make changes to this bug.