Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 615868 (CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651)

Summary: <www-servers/tomcat-{7.0.77,8.0.43,8.5.13}: multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
www-servers/tomcat-7.0.77 www-servers/tomcat-8.0.43
Runtime testing required: ---

Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-04-29 02:23:14 UTC
 CVE ID: CVE-2017-5650
   Summary: In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.
 Published: 2017-04-17T16:59:00.000Z

______________________________

CVE ID: CVE-2017-5651
   Summary: In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.
 Published: 2017-04-17T16:59:00.000Z

______________________________

CVE ID: CVE-2017-5647
   Summary: A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
 Published: 2017-04-17T16:59:00.000Z

______________________________

CVE ID: CVE-2017-5648
   Summary: While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
 Published: 2017-04-17T16:59:00.000Z
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-04-29 02:27:51 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-06 12:54:56 UTC
@ Arches,

please test and mark stable:

=www-servers/tomcat-7.0.77
=www-servers/tomcat-8.0.43
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-06 14:52:07 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-06 17:21:05 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 06:15:29 UTC
Added to an existing GLSA Request.
Maintainer(s), please drop the vulnerable version(s).
Comment 7 Miroslav Šulc gentoo-dev 2017-05-09 13:29:14 UTC
commit 0294da2621bb358a30caa4f13f8e5a3ccdfc0950
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue May 9 15:26:32 2017 +0200

    dev-java/tomcat-servlet-api: removed vurnelable versions per bug #615868
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2

 dev-java/tomcat-servlet-api/Manifest                         |  8 --------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.73.ebuild | 38 --------------------------------------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.75.ebuild | 38 --------------------------------------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.76.ebuild | 38 --------------------------------------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.39.ebuild | 35 -----------------------------------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.41.ebuild | 35 -----------------------------------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.5.11.ebuild | 39 ---------------------------------------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.5.12.ebuild | 39 ---------------------------------------
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.5.9.ebuild  | 39 ---------------------------------------
 9 files changed, 309 deletions(-)

commit d4326129c72bcf9e3190c0ed148687ae4a5b6fc6
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue May 9 15:22:43 2017 +0200

    www-servers/tomcat: removed vurnelable versions per bug #615868
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2

 www-servers/tomcat/Manifest                            |   8 ------
 www-servers/tomcat/files/tomcat-7.0.73-build.xml.patch | 149 -----------------------------------------------------------------------------------------------------
 www-servers/tomcat/files/tomcat-7.0.75-build.xml.patch | 149 -----------------------------------------------------------------------------------------------------
 www-servers/tomcat/files/tomcat-7.0.76-build.xml.patch | 149 -----------------------------------------------------------------------------------------------------
 www-servers/tomcat/files/tomcat-8.0.39-build.xml.patch | 259 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 www-servers/tomcat/files/tomcat-8.0.41-build.xml.patch | 259 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 www-servers/tomcat/files/tomcat-8.5.11-build.xml.patch | 250 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 www-servers/tomcat/files/tomcat-8.5.12-build.xml.patch | 250 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 www-servers/tomcat/files/tomcat-8.5.9-build.xml.patch  | 250 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-7.0.73.ebuild                | 148 ----------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-7.0.75.ebuild                | 148 ----------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-7.0.76.ebuild                | 148 ----------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-8.0.39.ebuild                | 157 ----------------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-8.0.41.ebuild                | 157 ----------------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-8.5.11.ebuild                | 157 ----------------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-8.5.12.ebuild                | 157 ----------------------------------------------------------------------------------------------------------
 www-servers/tomcat/tomcat-8.5.9.ebuild                 | 157 ----------------------------------------------------------------------------------------------------------
 17 files changed, 2952 deletions(-)
Comment 8 Miroslav Šulc gentoo-dev 2017-05-09 14:23:17 UTC
after removing the old vulnerable versions i was notified that i broke the tree. the reason was i removed both vulnerable versions of tomcat and related tomcat-servlet-api whose where not stabilized (but should have been). so i marked them as stable too:

commit 5fc95911b3bba9c81fd438e6a5f33911e62d8fb6
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue May 9 16:09:32 2017 +0200

    dev-java/tomcat-servlet-api: stabilized tomcat-servlet-api-7.0.77 and tomcat-servlet-api-8.0.43 as these should be stabilized with related tomcat versions (as per bug #615868)
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2

 dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.77.ebuild | 2 +-
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.43.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2017-05-16 05:38:36 UTC
Maintainer(s), Thank you for your work.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-05-18 02:02:44 UTC
This issue was resolved and addressed in
 GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09
by GLSA coordinator Yury German (BlueKnight).