Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 203169 (CVE-2007-5342) - www-servers/tomcat Multiple vulnerabilities (CVE-2007-5342 and others)
Summary: www-servers/tomcat Multiple vulnerabilities (CVE-2007-5342 and others)
Status: RESOLVED FIXED
Alias: CVE-2007-5342
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://marc.info/?l=tomcat-dev&m=1198...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 176701
Blocks:
  Show dependency tree
 
Reported: 2007-12-23 19:51 UTC by William L. Thomson Jr. (RETIRED)
Modified: 2008-04-10 20:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description William L. Thomson Jr. (RETIRED) gentoo-dev 2007-12-23 19:51:15 UTC
CVE-2007-5342: Tomcat's default security policy is too open

Severity:
Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.9 to 5.5.25
Tomcat 6.0.0 to 6.0.15

Description:
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict this
configuration and allows an untrusted web application to add files or
overwrite existing files where the Tomcat process has the necessary file
permissions to do so.

Mitigation:
Apply the following patch to the catalina.policy file
http://svn.apache.org/viewvc?rev=606594&view=rev
The patch will be included in 5.5.25 onwards and 6.0.16 onwards
This patch is also included at the end of this announcement
Comment 1 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-12-23 19:53:04 UTC
Filed bug myself, upstream will correct defaults. I will apply changes ASAP. Kinda have existing issues with using security manager and default security policies as is. Thus dependency on other existing bug regarding those issues :) Pretty sure there will be a new release soon. Been waiting on that for another CVE bug for Tomcat as well. Both some what minor and moot IMHO, but will work and resolve them ASAP.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-23 20:05:56 UTC
Thanks for reporting. I assume the other CVE you mean is bug 196066.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 17:51:58 UTC
ping, what's the status here?
Comment 4 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-01-15 18:08:45 UTC
Haven't had a chance to work it. Not sure upstream has reacted. They have been talking about a release of both 5.5.x and 6.0.x for over a month now. Hopefully any day now a vote will take place and they will release a new version. So I can close the Tomcat webdav bug 196066 as well. Otherwise I need to go fetch their solution to that one, and this one from vc. Assuming both have been addressed in vc.

HOWEVER, even when upstream addresses this issue specifically. It's kinda moot for us on Gentoo, because of bug 176701. Stuff doesn't even really work now, so if default file is to open. Really means squat to us :) The default stuff doesn't work for us, and is WAY to locked down. I have to dial it in for split tomcat and etc. So not sure their default being to open even matters on Gentoo. Considering the some of the default apps that ship don't have permissions or etc in the default policy file. It's a mess, no time to resolve.

Me personally I have had so many past headaches with using a security manager. I don't run one at all these days. Mostly for local protection anyway. Prevent devs from doing bad stuff in a container like System.exit() etc.

To use as is, most would have to modify it for their needs anyway. I don't think I would GLSA this or etc. It's very minor and quite moot, IMHO. Kinda like the other bug 196066. 

Just filed the bug before someone else could ;)
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-15 20:16:51 UTC
Rerating as B4 since running untrusted webapps is a bad idea anyway.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 20:56:06 UTC
Any news on this one?
Comment 7 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-26 21:23:53 UTC
Well since this is basically an upstream bug, and we have new versions in tree 5.5.26/6.0.16. I believe the issue was address by upstream. Still doesn't address our bug 176701. But that's usability not security. Pretty sure we are good on this one. Can close, move on, etc.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 21:32:00 UTC
Upstream confirmed, this is fixed in 6.0.16 and 5.5.26, which are both stable targets in bug 196066.

http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-27 08:03:19 UTC
Should we release a GLSA for this one along with 176701? I tend to vote NO.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 14:29:26 UTC
Sune, is that a no for the whole list of bugs listed at the above url, or just this one?
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-03-06 16:38:46 UTC
Hmmm reading the bug list again I tend to vote YES.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 02:25:52 UTC
YES, filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-10 20:55:15 UTC
GLSA 200804-10, sorry for the delay.