1265698 – (CVE-2015-5174) CVE-2015-5174 tomcat: URL Normalization issue

Bug 1265698 (CVE-2015-5174) - CVE-2015-5174 tomcat: URL Normalization issue

Summary: CVE-2015-5174 tomcat: URL Normalization issue

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-5174
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1265704 1273410 1311095 1311102 1315982 1315983 1347128 1347129 1351915 1367051 1367052
Blocks:	1265668 1311109
TreeView+	depends on / blocked

Reported:	2015-09-23 13:47 UTC by Timothy Walsh
Modified:	2021-02-17 04:54 UTC (History)
CC List:	13 users (show)
Fixed In Version:	tomcat 6.0.45, tomcat 7.0.65, tomcat 8.0.27
Doc Type:	Bug Fix
Doc Text:	A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.
Clone Of:
Environment:
Last Closed:	2019-06-08 02:43:42 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1432	normal	SHIPPED_LIVE	Critical: jboss-ec2-eap security, bug fix, and enhancement update	2016-07-18 23:41:10 UTC
Red Hat Product Errata	RHSA-2016:1433	normal	SHIPPED_LIVE	Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update	2016-07-18 23:44:33 UTC
Red Hat Product Errata	RHSA-2016:1434	normal	SHIPPED_LIVE	Critical: Red Hat JBoss Enterprise Application Platform update	2016-07-18 23:39:47 UTC
Red Hat Product Errata	RHSA-2016:1435	normal	SHIPPED_LIVE	Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update	2016-07-19 01:21:04 UTC
Red Hat Product Errata	RHSA-2016:2045	normal	SHIPPED_LIVE	Important: tomcat6 security and bug fix update	2016-10-11 00:38:52 UTC
Red Hat Product Errata	RHSA-2016:2599	normal	SHIPPED_LIVE	Moderate: tomcat security, bug fix, and enhancement update	2016-11-03 12:12:12 UTC

Description Timothy Walsh 2015-09-23 13:47:58 UTC

URL Normalisation issue

A directory traversal vulnerability exists in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 that allows a remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Comment 6 Andrej Nemec 2016-02-23 11:47:58 UTC

Public via:

http://seclists.org/bugtraq/2016/Feb/149

Upstream patches:

Tomcat6:

http://svn.apache.org/viewvc?view=revision&revision=1700900

Tomcat7:

http://svn.apache.org/viewvc?view=revision&revision=1696284
http://svn.apache.org/viewvc?view=revision&revision=1700898

Tomcat8:

http://svn.apache.org/viewvc?view=revision&revision=1696281
http://svn.apache.org/viewvc?view=revision&revision=1700897

Comment 7 Andrej Nemec 2016-02-23 11:52:07 UTC

When accessing resources via the ServletContext methods getResource()
getResourceAsStream() and getResourcePaths() the paths should be limited
to the current web application. The validation was not correct and paths
of the form "/.." were not rejected. Note that paths starting with
"/../" were correctly rejected.
This bug allowed malicious web applications running under a security
manager to obtain a directory listing for the directory in which the web
application had been deployed. This should not be possible when running
under a security manager. Typically, the directory listing that would be
exposed would be for $CATALINA_BASE/webapps.

External references:

http://seclists.org/bugtraq/2016/Feb/149

Comment 12 errata-xmlrpc 2016-07-18 19:07:05 UTC

This issue has been addressed in the following products:

   Red Hat JBoss Enterprise Application Platform

Via RHSA-2016:1435 https://rhn.redhat.com/errata/RHSA-2016-1435.html

Comment 13 errata-xmlrpc 2016-07-18 19:41:50 UTC

This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434

Comment 14 errata-xmlrpc 2016-07-18 19:42:31 UTC

This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432

Comment 15 errata-xmlrpc 2016-07-18 19:45:41 UTC

This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433

Comment 19 errata-xmlrpc 2016-10-10 20:42:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html

Comment 20 errata-xmlrpc 2016-11-03 21:09:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html

Note You need to log in before you can comment on or make changes to this bug.