Bug 1493222 (CVE-2017-12616) - CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext
Summary: CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-12616
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1493224 1493225
Blocks: 1493229
TreeView+ depends on / blocked
 
Reported: 2017-09-19 16:10 UTC by Adam Mariš
Modified: 2021-02-17 01:29 UTC (History)
48 users (show)

Fixed In Version: tomcat 7.0.81
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-20 21:16:30 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0465 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update 2018-03-07 20:09:54 UTC
Red Hat Product Errata RHSA-2018:0466 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update 2018-03-07 20:21:52 UTC

Description Adam Mariš 2017-09-19 16:10:55 UTC
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Affected versions: 7.0.0 to 7.0.80

Upstream patch:

https://svn.apache.org/viewvc?view=revision&revision=1804729

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81

Comment 1 Adam Mariš 2017-09-19 16:11:32 UTC
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1493224]


Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1493225]

Comment 3 Jason Shepherd 2017-09-21 01:06:47 UTC
VirtualDirContext is not designed to be used in Production. Also, because the information disclosed is only the source code for JSP setting this issue to WONTFIX.

Comment 6 Doran Moppert 2017-09-25 05:33:24 UTC
Statement:

VirtualDirContext is not designed to be used in production, but only to ease development with IDEs without needing to fully republish jars in WEB-INF/lib.

Comment 7 Doran Moppert 2017-10-03 01:52:54 UTC
Tomcat 5, provided with Red Hat Enterprise Linux 5, is not affected by this issue.

Comment 8 errata-xmlrpc 2018-03-07 15:10:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465

Comment 9 errata-xmlrpc 2018-03-07 15:24:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466

Comment 12 Joshua Padman 2019-08-06 04:32:48 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Web Server 3 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 13 Product Security DevOps Team 2020-05-20 21:16:30 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-12616


Note You need to log in before you can comment on or make changes to this bug.