|Summary:||www-servers/tomcat Multiple vulnerabilities (CVE-2007-5342 and others)|
|Product:||Gentoo Security||Reporter:||William L. Thomson Jr. (RETIRED) <wltjr>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||176701|
Description William L. Thomson Jr. (RETIRED) 2007-12-23 19:51:15 UTC
CVE-2007-5342: Tomcat's default security policy is too open Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.9 to 5.5.25 Tomcat 6.0.0 to 6.0.15 Description: The JULI logging component allows web applications to provide their own logging configurations. The default security policy does not restrict this configuration and allows an untrusted web application to add files or overwrite existing files where the Tomcat process has the necessary file permissions to do so. Mitigation: Apply the following patch to the catalina.policy file http://svn.apache.org/viewvc?rev=606594&view=rev The patch will be included in 5.5.25 onwards and 6.0.16 onwards This patch is also included at the end of this announcement
Comment 1 William L. Thomson Jr. (RETIRED) 2007-12-23 19:53:04 UTC
Filed bug myself, upstream will correct defaults. I will apply changes ASAP. Kinda have existing issues with using security manager and default security policies as is. Thus dependency on other existing bug regarding those issues :) Pretty sure there will be a new release soon. Been waiting on that for another CVE bug for Tomcat as well. Both some what minor and moot IMHO, but will work and resolve them ASAP.
Comment 2 Robert Buchholz (RETIRED) 2007-12-23 20:05:56 UTC
Thanks for reporting. I assume the other CVE you mean is bug 196066.
Comment 3 Robert Buchholz (RETIRED) 2008-01-15 17:51:58 UTC
ping, what's the status here?
Comment 4 William L. Thomson Jr. (RETIRED) 2008-01-15 18:08:45 UTC
Haven't had a chance to work it. Not sure upstream has reacted. They have been talking about a release of both 5.5.x and 6.0.x for over a month now. Hopefully any day now a vote will take place and they will release a new version. So I can close the Tomcat webdav bug 196066 as well. Otherwise I need to go fetch their solution to that one, and this one from vc. Assuming both have been addressed in vc. HOWEVER, even when upstream addresses this issue specifically. It's kinda moot for us on Gentoo, because of bug 176701. Stuff doesn't even really work now, so if default file is to open. Really means squat to us :) The default stuff doesn't work for us, and is WAY to locked down. I have to dial it in for split tomcat and etc. So not sure their default being to open even matters on Gentoo. Considering the some of the default apps that ship don't have permissions or etc in the default policy file. It's a mess, no time to resolve. Me personally I have had so many past headaches with using a security manager. I don't run one at all these days. Mostly for local protection anyway. Prevent devs from doing bad stuff in a container like System.exit() etc. To use as is, most would have to modify it for their needs anyway. I don't think I would GLSA this or etc. It's very minor and quite moot, IMHO. Kinda like the other bug 196066. Just filed the bug before someone else could ;)
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2008-01-15 20:16:51 UTC
Rerating as B4 since running untrusted webapps is a bad idea anyway.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2008-02-26 20:56:06 UTC
Any news on this one?
Comment 7 William L. Thomson Jr. (RETIRED) 2008-02-26 21:23:53 UTC
Well since this is basically an upstream bug, and we have new versions in tree 5.5.26/6.0.16. I believe the issue was address by upstream. Still doesn't address our bug 176701. But that's usability not security. Pretty sure we are good on this one. Can close, move on, etc.
Comment 8 Robert Buchholz (RETIRED) 2008-02-26 21:32:00 UTC
Upstream confirmed, this is fixed in 6.0.16 and 5.5.26, which are both stable targets in bug 196066. http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2008-02-27 08:03:19 UTC
Should we release a GLSA for this one along with 176701? I tend to vote NO.
Comment 10 Robert Buchholz (RETIRED) 2008-03-04 14:29:26 UTC
Sune, is that a no for the whole list of bugs listed at the above url, or just this one?
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2008-03-06 16:38:46 UTC
Hmmm reading the bug list again I tend to vote YES.
Comment 12 Robert Buchholz (RETIRED) 2008-03-21 02:25:52 UTC
Comment 13 Pierre-Yves Rofes (RETIRED) 2008-04-10 20:55:15 UTC
GLSA 200804-10, sorry for the delay.