[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
- To: Mark Thomas <markt@xxxxxxxxxx>
- Subject: Re: [Full-disclosure] [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
- From: Henri Salo <henri@xxxxxxx>
- Date: Wed, 31 Aug 2011 13:22:51 +0300
On Mon, Aug 29, 2011 at 08:52:00PM +0100, Mark Thomas wrote:
> CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - Tomcat 7.0.0 to 7.0.20
> - Tomcat 6.0.0 to 6.0.33
> - Tomcat 5.5.0 to 5.5.33
> - Earlier, unsupported versions may also be affected
>
> Description:
> Apache Tomcat supports the AJP protocol which is used with reverse
> proxies to pass requests and associated data about the request from the
> reverse proxy to Tomcat. The AJP protocol is designed so that when a
> request includes a request body, an unsolicited AJP message is sent to
> Tomcat that includes the first part (or possibly all) of the request
> body. In certain circumstances, Tomcat did not process this message as a
> request body but as a new request. This permitted an attacker to have
> full control over the AJP message which allowed an attacker to (amongst
> other things):
> - insert the name of an authenticated user
> - insert any client IP address (potentially bypassing any client IP
> address filtering)
> - trigger the mixing of responses between users
>
> The following AJP connector implementations are not affected:
> org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)
>
> The following AJP connector implementations are affected:
>
> org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
> org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
> org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)
>
> Further, this issue only applies if all of the following are are true
> for at least one resource:
> - POST requests are accepted
> - The request body is not processed
>
>
> Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>
> Mitigation:
> Users of affected versions should apply one of the following mitigations:
> - Upgrade to a version of Apache Tomcat that includes a fix for this
> issue when available
> - Apply the appropriate patch
> - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
> - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
> - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
> - Configure the reverse proxy and Tomcat's AJP connector(s) to use the
> requiredSecret attribute
> - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
> available for Tomcat 7.0.x)
>
> Credit:
> The issue was reported via Apache Tomcat's public issue tracker.
> The Apache Tomcat security team strongly discourages reporting of
> undisclosed vulnerabilities via public channels. All Apache Tomcat
> security vulnerabilities should be reported to the private security team
> mailing list: security@xxxxxxxxxxxxxxxxx
>
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
> http://tomcat.apache.org/security-5.html
> https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
Do you have any information when the supported security release is going to be
announced? Patching production using diff from SVN is not usually very nice :)
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/