Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710656 (CVE-2020-1938) - <www-servers/tomcat-{7.0.100,8.5.51}: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938)
Summary: <www-servers/tomcat-{7.0.100,8.5.51}: Ghostcat - Apache Tomcat AJP File Read/...
Status: RESOLVED FIXED
Alias: CVE-2020-1938
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.cnvd.org.cn/webinfo/show/...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-24 13:29 UTC by Agostino Sarubbo
Modified: 2020-03-19 17:18 UTC (History)
1 user (show)

See Also:
Package list:
=dev-java/tomcat-servlet-api-9.0.31 amd64 =dev-java/tomcat-servlet-api-8.5.51 amd64 ppc64 x86 =dev-java/tomcat-servlet-api-7.0.100 amd64 x86 =www-servers/tomcat-8.5.51 amd64 =www-servers/tomcat-7.0.100 amd64
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2020-02-24 13:29:32 UTC
From https://bugzilla.redhat.com/1806398 :
CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in
Apache Tomcat. This is enabled by default with a default configuration port of
8009. A remote, unauthenticated attacker could exploit this vulnerability to
read web application files from a vulnerable server. In instances where the
vulnerable server allows file uploads, an attacker could upload malicious
JavaServer Pages (JSP) code within a variety of file types and trigger this
vulnerability to gain remote code execution (RCE).


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Miroslav Šulc gentoo-dev 2020-02-27 23:48:13 UTC
please stabilize the mentioned packages so i can remove the affected ones.

i did some basic testing on my production servers and all seems fine. there is one change though related to ajp connectors which do not work in default configuration but that is intended by upstream so not really an issue. it just requires users to adjust server configuration. but they should follow changelogs anyway.
Comment 2 Agostino Sarubbo gentoo-dev 2020-02-28 14:12:45 UTC
amd64 stable
Comment 3 Larry the Git Cow gentoo-dev 2020-02-28 16:13:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44c7742044198a985fc81163b590ce0ca15e2bdf

commit 44c7742044198a985fc81163b590ce0ca15e2bdf
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-02-28 16:12:48 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-02-28 16:13:10 +0000

    www-servers/tomcat: removed old vulnerable
    
    Bug: https://bugs.gentoo.org/710656
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   2 -
 www-servers/tomcat/tomcat-7.0.96.ebuild | 146 -----------------------------
 www-servers/tomcat/tomcat-8.5.47.ebuild | 158 --------------------------------
 3 files changed, 306 deletions(-)
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-28 17:50:55 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-02 12:40:38 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Miroslav Šulc gentoo-dev 2020-03-03 18:56:03 UTC
thanks for stabilization. we are clean now:

$ equery meta tomcat
 * www-servers/tomcat [gentoo]
Maintainer:  java@gentoo.org (Java)
Upstream:    None specified
Homepage:    https://tomcat.apache.org/
Location:    /usr/portage/www-servers/tomcat
Keywords:    7.0.100:7: amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords:    8.5.51:8.5: amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
Keywords:    9.0.31:9: ~amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
License:     Apache-2.0
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-03-19 16:55:21 UTC
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 17:18:24 UTC
This issue was resolved and addressed in
 GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43
by GLSA coordinator Thomas Deutschmann (whissi).