Bug 710656 (CVE-2020-1938)

Summary:	<www-servers/tomcat-{7.0.100,8.5.51}: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	java
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.cnvd.org.cn/webinfo/show/5415
Whiteboard:	B2 [glsa+ cve]
Package list:	=dev-java/tomcat-servlet-api-9.0.31 amd64 =dev-java/tomcat-servlet-api-8.5.51 amd64 ppc64 x86 =dev-java/tomcat-servlet-api-7.0.100 amd64 x86 =www-servers/tomcat-8.5.51 amd64 =www-servers/tomcat-7.0.100 amd64	Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2020-02-24 13:29:32 UTC

From https://bugzilla.redhat.com/1806398 :
CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in
Apache Tomcat. This is enabled by default with a default configuration port of
8009. A remote, unauthenticated attacker could exploit this vulnerability to
read web application files from a vulnerable server. In instances where the
vulnerable server allows file uploads, an attacker could upload malicious
JavaServer Pages (JSP) code within a variety of file types and trigger this
vulnerability to gain remote code execution (RCE).


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Miroslav Šulc gentoo-dev

2020-02-27 23:48:13 UTC

please stabilize the mentioned packages so i can remove the affected ones.

i did some basic testing on my production servers and all seems fine. there is one change though related to ajp connectors which do not work in default configuration but that is intended by upstream so not really an issue. it just requires users to adjust server configuration. but they should follow changelogs anyway.

Comment 2 Agostino Sarubbo gentoo-dev

2020-02-28 14:12:45 UTC

amd64 stable

Comment 3 Larry the Git Cow gentoo-dev

2020-02-28 16:13:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44c7742044198a985fc81163b590ce0ca15e2bdf

commit 44c7742044198a985fc81163b590ce0ca15e2bdf
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-02-28 16:12:48 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-02-28 16:13:10 +0000

    www-servers/tomcat: removed old vulnerable
    
    Bug: https://bugs.gentoo.org/710656
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   2 -
 www-servers/tomcat/tomcat-7.0.96.ebuild | 146 -----------------------------
 www-servers/tomcat/tomcat-8.5.47.ebuild | 158 --------------------------------
 3 files changed, 306 deletions(-)

Comment 4 Agostino Sarubbo gentoo-dev

2020-02-28 17:50:55 UTC

x86 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-03-02 12:40:38 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 6 Miroslav Šulc gentoo-dev

2020-03-03 18:56:03 UTC

thanks for stabilization. we are clean now:

$ equery meta tomcat
 * www-servers/tomcat [gentoo]
Maintainer:  java@gentoo.org (Java)
Upstream:    None specified
Homepage:    https://tomcat.apache.org/
Location:    /usr/portage/www-servers/tomcat
Keywords:    7.0.100:7: amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords:    8.5.51:8.5: amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
Keywords:    9.0.31:9: ~amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
License:     Apache-2.0

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-19 16:55:21 UTC

New GLSA request filed.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2020-03-19 17:18:24 UTC

This issue was resolved and addressed in
 GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43
by GLSA coordinator Thomas Deutschmann (whissi).