Bug 382043 (CVE-2011-3190)

Summary:	<www-servers/tomcat-6.0.35 Authentication bypass and information disclosure (CVE-2011-3190)
Product:	Gentoo Security	Reporter:	daavelino
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3190
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	395933
Bug Blocks:	322979

Description daavelino 2011-09-06 13:07:22 UTC

As in NVD: Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

Comment 1 Miroslav Šulc gentoo-dev

2011-09-06 16:13:38 UTC

it's already fixed in tomcat 7.0.21, but i can see no fix for tomcat:6 series nor tomcat:5.5 series. should the affected versions be removed once the fixes are available?

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-09-07 16:00:40 UTC

(In reply to comment #1)
> it's already fixed in tomcat 7.0.21, but i can see no fix for tomcat:6 series
> nor tomcat:5.5 series. should the affected versions be removed once the fixes
> are available?

Yes, please. Do you happen to have an ETA for a fixed 6.0 and 5.5?

Comment 3 Miroslav Šulc gentoo-dev

2011-09-07 17:18:57 UTC

no, i have no eta, it depends on upstream when they are going to release the fixes and i have no idea if there is any eta from their side or not.

for now, i just removed tomcat:7 < 7.0.21 and related tomcat-servlet-api.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2011-09-07 17:23:40 UTC

(In reply to comment #3)
> no, i have no eta, it depends on upstream when they are going to release the
> fixes and i have no idea if there is any eta from their side or not.
> 

Ok. We'll just wait for the fixed versions and then do stabilization etc (like always).

> for now, i just removed tomcat:7 < 7.0.21 and related tomcat-servlet-api.

Thank you.

Comment 5 Paul B. Henson 2011-09-07 21:09:01 UTC

There are patches available that could apply to the current versions:

- 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
- 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev

If you wanted to include those for the current version ebuilds while waiting for a new fixed version to be released...

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2011-10-07 22:47:44 UTC

CVE-2011-3190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3190):
  Certain AJP protocol connector implementations in Apache Tomcat 7.0.0
  through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly
  other versions allow remote attackers to spoof AJP requests, bypass
  authentication, and obtain sensitive information by causing the connector to
  interpret a request body as a new request.

Comment 7 Miroslav Šulc gentoo-dev

2011-12-24 19:56:53 UTC

6.0.35 is now in tree and fixes CVE-2011-3190. stabilization request filed.

Comment 8 Miroslav Šulc gentoo-dev

2011-12-24 20:32:13 UTC

tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2012-03-13 21:57:47 UTC

Thanks, folks. GLSA Vote: yes.

Comment 10 Sean Amoss (RETIRED) gentoo-dev

2012-03-23 13:28:06 UTC

On existing GLSA request.

Comment 11 Miroslav Šulc gentoo-dev

2012-03-25 20:25:54 UTC

no affected version in the tree anymore

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-06-24 14:12:55 UTC

This issue was resolved and addressed in
 GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).