CVE-2007-5342: Tomcat's default security policy is too open
The Apache Software Foundation
Tomcat 5.5.9 to 5.5.25
Tomcat 6.0.0 to 6.0.15
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict this
configuration and allows an untrusted web application to add files or
overwrite existing files where the Tomcat process has the necessary file
permissions to do so.
Apply the following patch to the catalina.policy file
The patch will be included in 5.5.25 onwards and 6.0.16 onwards
This patch is also included at the end of this announcement
Filed bug myself, upstream will correct defaults. I will apply changes ASAP. Kinda have existing issues with using security manager and default security policies as is. Thus dependency on other existing bug regarding those issues :) Pretty sure there will be a new release soon. Been waiting on that for another CVE bug for Tomcat as well. Both some what minor and moot IMHO, but will work and resolve them ASAP.
Thanks for reporting. I assume the other CVE you mean is bug 196066.
ping, what's the status here?
Haven't had a chance to work it. Not sure upstream has reacted. They have been talking about a release of both 5.5.x and 6.0.x for over a month now. Hopefully any day now a vote will take place and they will release a new version. So I can close the Tomcat webdav bug 196066 as well. Otherwise I need to go fetch their solution to that one, and this one from vc. Assuming both have been addressed in vc.
HOWEVER, even when upstream addresses this issue specifically. It's kinda moot for us on Gentoo, because of bug 176701. Stuff doesn't even really work now, so if default file is to open. Really means squat to us :) The default stuff doesn't work for us, and is WAY to locked down. I have to dial it in for split tomcat and etc. So not sure their default being to open even matters on Gentoo. Considering the some of the default apps that ship don't have permissions or etc in the default policy file. It's a mess, no time to resolve.
Me personally I have had so many past headaches with using a security manager. I don't run one at all these days. Mostly for local protection anyway. Prevent devs from doing bad stuff in a container like System.exit() etc.
To use as is, most would have to modify it for their needs anyway. I don't think I would GLSA this or etc. It's very minor and quite moot, IMHO. Kinda like the other bug 196066.
Just filed the bug before someone else could ;)
Rerating as B4 since running untrusted webapps is a bad idea anyway.
Any news on this one?
Well since this is basically an upstream bug, and we have new versions in tree 5.5.26/6.0.16. I believe the issue was address by upstream. Still doesn't address our bug 176701. But that's usability not security. Pretty sure we are good on this one. Can close, move on, etc.
Upstream confirmed, this is fixed in 6.0.16 and 5.5.26, which are both stable targets in bug 196066.
Should we release a GLSA for this one along with 176701? I tend to vote NO.
Sune, is that a no for the whole list of bugs listed at the above url, or just this one?
Hmmm reading the bug list again I tend to vote YES.
GLSA 200804-10, sorry for the delay.