Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621048 (CVE-2017-5664) - www-servers/tomcat: Security constrained bypass in error page mechanism
Summary: www-servers/tomcat: Security constrained bypass in error page mechanism
Status: RESOLVED OBSOLETE
Alias: CVE-2017-5664
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-06 15:57 UTC by Agostino Sarubbo
Modified: 2019-03-27 00:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-06 15:57:33 UTC
From ${URL} :

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are 
forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.

If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTT method. Tomcat's Default Servlet did not do this. 
Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal 
of the custom error page.

Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1793470
https://svn.apache.org/viewvc?view=revision&revision=1793489

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1793469
https://svn.apache.org/viewvc?view=revision&revision=1793488

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Šulc gentoo-dev 2019-02-10 14:34:01 UTC
none of the affected versions is in the tree:

$ PORTDIR=/usr/src/gentoo.git/ equery meta tomcat
 * www-servers/tomcat [gentoo]
Maintainer:  java@gentoo.org (Java)
Upstream:    None specified
Homepage:    https://tomcat.apache.org/
Location:    /usr/src/gentoo.git/www-servers/tomcat
Keywords:    7.0.92:7: amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords:    8.0.52:8: amd64
Keywords:    8.0.53:8: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    8.5.31:8.5: amd64
Keywords:    8.5.37:8.5: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
Keywords:    9.0.7:9: amd64
Keywords:    9.0.14:9: 
Keywords:    9.0.16:9: ~amd64 ~amd64-linux ~x86 ~x86-fbsd ~x86-linux ~x86-solaris
License:     Apache-2.0