Bug 251527

Summary:	www-servers/tomcat [SECURITY] CVE-2008-2938 Apache Tomcat information disclosure vulnerability
Product:	Gentoo Linux	Reporter:	Mike Weissman <mike>
Component:	[OLD] Java	Assignee:	Java team <java>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://tomcat.apache.org/security.html
Whiteboard:
Package list:		Runtime testing required:	---

Description Mike Weissman 2008-12-18 19:59:09 UTC

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2

Severity: Important

Vendor:
Multiple (was The Apache Software Foundation)

Versions Affected:
Various

Description (new information):
This vulnerability was originally reported to the Apache Software Foundation as a Tomcat vulnerability. Investigations quickly identified that the root cause was an issue with the UTF-8 charset implementation within the JVM. The issue existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and Apache.

It was decided to continue to report this as a Tomcat vulnerability until such time as the JVM vendors had released fixed versions.

Unfortunately, the release of fixed JVMs and associated vulnerability disclosure has not been co-ordinated. There has been some confusion within the user community as to the nature and root cause of CVE-2008-2938. Therefore, the Apache Tomcat Security Team is issuing this update to clarify the situation.

Mitigation:
Contact your JVM vendor for further information.
Tomcat users may upgrade as follows to a Tomcat version that contains a
workaround:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should upgrade to 4.1.39

Credit:
This additional information was discovered by the Apache security team.

References:
http://tomcat.apache.org/security.html

The current "work around" is implemented in certain Tomcat Versions, thus some of effected ebuilds should be masked:

Should Be Masked:
tomcat-5.5.26
tomcat-6.0.16

Are Fine:
tomcat-5.5.27-r1
tomcat-6.0.18-r1

Reproducible: Always

Steps to Reproduce:
If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files on the server. If the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files within the docBase of a context such as web.xml. It should also be noted that setting useBodyEncodingForURI="true" has the same effect as setting URIEncoding="UTF-8" when processing requests with bodies encoded with UTF-8.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-12-18 21:09:39 UTC

I'm not entirely sure what this bug is about. We accepted CVE-2008-2938 to be an issue within Tomcat (as did upstream) and resolved it with updates to 6.0.18 and 5.5.27 per bug 225477.

Is there any news I am missing (except that the old ebuilds might not have been removed yet)?

Comment 2 Mike Weissman 2008-12-18 21:39:57 UTC

(In reply to comment #1)
> I'm not entirely sure what this bug is about. We accepted CVE-2008-2938 to be
> an issue within Tomcat (as did upstream) and resolved it with updates to 6.0.18
> and 5.5.27 per bug 225477.
> 
> Is there any news I am missing (except that the old ebuilds might not have been
> removed yet)?
> 
I read the other bug, and i felt that requesting that the effected packages be masked or at least marked unstable would be highjacking the closed bug.

Also the Tomcat team is still unsure of: "the release of fixed JVMs and associated vulnerability disclosure has not been co-ordinated." So I didn't feel that issue was actually completely done with. 

Thanks,
Mike

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-01-13 17:56:56 UTC

Old versions are marked vulnerable by GLSA, removal is subject to java team guidelines.

Comment 4 Petteri Räty (RETIRED) gentoo-dev

2009-01-13 19:30:34 UTC

(In reply to comment #3)
> Old versions are marked vulnerable by GLSA, removal is subject to java team
> guidelines.
> 

Old ebuilds nuked so I guess we are done here.