Bug 627514 (CVE-2017-7674)

Summary:	<www-servers/tomcat-{7.0.79, 8.0.45}: Apache Tomcat Cache Poisoning (CVE-2017-7674)
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	java
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bz.apache.org/bugzilla/show_bug.cgi?id=61101
Whiteboard:	B3 [noglsa cve]
Package list:	www-servers/tomcat-7.0.79 www-servers/tomcat-8.0.45 dev-java/tomcat-servlet-api-7.0.79 dev-java/tomcat-servlet-api-8.0.45	Runtime testing required:	No

Description D'juan McDonald (domhnall) 2017-08-11 04:16:34 UTC

From $URL:

The Tomcat CorsFilter does not add a Vary header to the response to indicate that the response can vary for different values of the Origin header in the request. This poses problems for caches, as they can yield cached Tomcat responses where they shouldn't because they don't know that a different Origin value may yield a different response.

The filter should add the Origin value to the Vary header of the response.

Per the CORS standard (https://www.w3.org/TR/cors/#resource-implementation):
"Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins."

Found this on multiple versions of the Tomcat CorsFilter (7, 8.0 and 8.5). A quick code inspection shows that this isn't present in /trunk either.

Found with multiple Java versions, at least including Oracle JDK 8u131 64-bit on Windows 10 64-bit. Seems to be unrelated to the connectors (found on the HTTP NIO and BIO connectors)

To reproduce, enable the CorsFilter in Tomcat's web.xml, and send an HTTP request that includes both a Host and an Origin header, where the Origin should be different than the Host, and should be a value that is configured to be allowed by the CorsFilter. Inspect the response headers. A 'Vary: Origin' header should be in the response, but isn't.

Gentoo Security Scout

MBailey_J

Comment 1 D'juan McDonald (domhnall) 2017-08-22 13:03:42 UTC

@security,

Comment 2 D'juan McDonald (domhnall) 2017-08-22 13:11:10 UTC

@maintainer(s), please call for stabilization and/or follow procedure to close on report. Thank You.

Daj'Uan (mbailey_J)
Gentoo Security Scout

Comment 3 Miroslav Šulc gentoo-dev

2017-08-22 18:28:00 UTC

i stabilized slots 7 a 8 on amd64:

commit acbf4a912e859f8a7361d419544fde06ca45462e (HEAD -> master, origin/master, origin/HEAD)
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue Aug 22 20:24:42 2017 +0200

    www-servers/tomcat: marked stable amd64 per bug #627514
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 www-servers/tomcat/tomcat-7.0.79.ebuild | 2 +-
 www-servers/tomcat/tomcat-8.0.45.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 720ce827120c44680530f02f912f50d1482badf5
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue Aug 22 20:23:40 2017 +0200

    dev-java/tomcat-servlet-api: marked stable amd64 per bug #627514
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.79.ebuild | 2 +-
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.45.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


but i don't have access to x86 machine though i suppose it should work aswell.

Comment 4 D'juan McDonald (domhnall) 2017-08-22 18:39:51 UTC

@fordfrog, thank you... @arches, please test to stabilize, thank you.

Comment 5 D'juan McDonald (domhnall) 2017-08-22 22:21:20 UTC

@Security, please follow procedure to close on report, thank you.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-29 20:44:55 UTC

x86 stable

Comment 7 Miroslav Šulc gentoo-dev

2017-09-10 06:32:52 UTC

i've just removed the old affected versions from the tree:

commit 55b14158b82577af855f072f5120628b6d4db2de (HEAD -> master, origin/master, origin/HEAD)
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Sun Sep 10 08:24:24 2017 +0200

    dev-java/tomcat-servlet-api: removed old versions
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

dev-java/tomcat-servlet-api/Manifest
dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.77.ebuild
dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.43.ebuild

commit 96b634bd2d58335c66299b60325ec5d70f608b6f
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Sun Sep 10 08:20:46 2017 +0200

    www-servers/tomcat: removed old security affected versions
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

www-servers/tomcat/Manifest
www-servers/tomcat/files/tomcat-7.0.77-build.xml.patch
www-servers/tomcat/files/tomcat-8.0.43-build.xml.patch
www-servers/tomcat/tomcat-7.0.77.ebuild
www-servers/tomcat/tomcat-8.0.43.ebuild

Comment 8 Yury German Gentoo Infrastructure

2017-09-10 06:54:37 UTC

Maintainer(s), Thank you for your work.
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].