Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 358607 (CVE-2011-1088)

Summary: <www-servers/tomcat-7.0.11: "@ServletSecurity" Annotation Security Bypass (CVE-2011-1088)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.11_(released_11_Mar_2011)
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-12 20:24:10 UTC 
Description
A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application not properly enforcing "@ServletSecurity" annotations when loading servlets. This can be exploited to e.g. bypass the security constraints specified via the annotations and disclose certain information.

The vulnerability is reported in versions 7.0.0 through 7.0.10.


Solution
Incompletely fixed in version 7.0.10. As a workaround, update to version 7.0.10 and specify at least one security constraint in web.xml.

http://secunia.com/advisories/43684/

http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.11_(released_11_Mar_2011)
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-12 20:26:23 UTC 
Maintainers, this vulnerability is for tomcat-7.x only. Could you just remove vulnerable 7.x ebuilds from the tree? Thank you.
Comment 2 Miroslav Šulc gentoo-dev 2011-03-13 00:09:19 UTC 
done, only 7.0.11 left in tree
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-03-13 00:54:32 UTC 
Thanks, but next time please don't close the bug.