Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358607 (CVE-2011-1088) - <www-servers/tomcat-7.0.11: "@ServletSecurity" Annotation Security Bypass (CVE-2011-1088)
Summary: <www-servers/tomcat-7.0.11: "@ServletSecurity" Annotation Security Bypass (CV...
Status: RESOLVED FIXED
Alias: CVE-2011-1088
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://tomcat.apache.org/security-7.h...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-12 20:24 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-03-13 00:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-12 20:24:10 UTC
Description
A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application not properly enforcing "@ServletSecurity" annotations when loading servlets. This can be exploited to e.g. bypass the security constraints specified via the annotations and disclose certain information.

The vulnerability is reported in versions 7.0.0 through 7.0.10.


Solution
Incompletely fixed in version 7.0.10. As a workaround, update to version 7.0.10 and specify at least one security constraint in web.xml.

http://secunia.com/advisories/43684/

http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.11_(released_11_Mar_2011)
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-12 20:26:23 UTC
Maintainers, this vulnerability is for tomcat-7.x only. Could you just remove vulnerable 7.x ebuilds from the tree? Thank you.
Comment 2 Miroslav Šulc gentoo-dev 2011-03-13 00:09:19 UTC
done, only 7.0.11 left in tree
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-03-13 00:54:32 UTC
Thanks, but next time please don't close the bug.