Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 549536 (CVE-2014-7810) - <www-servers/tomcat-{6.0.44,7.0.59}: Security Manager Bypass (CVE-2014-7810)
Summary: <www-servers/tomcat-{6.0.44,7.0.59}: Security Manager Bypass (CVE-2014-7810)
Status: RESOLVED FIXED
Alias: CVE-2014-7810
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://mail-archives.us.apache.org/mo...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-15 10:16 UTC by Agostino Sarubbo
Modified: 2015-06-16 02:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-15 10:16:01 UTC
From ${URL} :

CVE-2014-7810 Security Manager Bypass

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.15
- - Apache Tomcat 7.0.0 to 7.0.57
- - Apache Tomcat 6.0.0 to 6.0.43

Description:
Malicious web applications could use expression language to bypass the
protections of a Security Manager as expressions were evaluated within
a privileged code section.
This issue only affects installations that run web applications from
untrusted sources.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 8.0.17 or later
  (8.0.16 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.59 or later
  (7.0.58 has the fix but was not released)
- - Upgrade to Apache Tomcat 6.0.44 or later


Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 William L. Thomson Jr. 2015-05-20 21:25:26 UTC
8 in tree is not effected, only older versions of 7 < tomcat-7.0.59, need to be removed. Current is Tomcat 7.0.62 Released 2015-05-14. I would remove 6 entirely, though it is still current upstream, Tomcat 6.0.44 Released 2015-05-12. ALL versions of 6 in tree are effected.
Comment 2 Patrice Clement gentoo-dev 2015-06-03 14:41:39 UTC
+*tomcat-6.0.44 (03 Jun 2015)
+
+  03 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  +files/tomcat-6.0.44-build.xml.patch, +tomcat-6.0.44.ebuild,
+  -files/tomcat-6.0.41-build.xml.patch, -files/tomcat-6.0.43-build.xml.patch,
+  -tomcat-6.0.41.ebuild, -tomcat-6.0.43.ebuild:
+  Tomcat 6.0.44 version bump. EAPI 5 bump. Remove vulnerable versions. Fix
+  security bug 549536.
Comment 3 Patrice Clement gentoo-dev 2015-06-03 14:45:31 UTC
+  03 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  -files/tomcat-7.0.56-build.xml.patch, -files/tomcat-7.0.57-build.xml.patch,
+  -tomcat-7.0.56.ebuild, -tomcat-7.0.57.ebuild:
+  Remove vulnerable versions < Tomcat 7.0.59. Fix security bug 549536.
+
Comment 4 Patrice Clement gentoo-dev 2015-06-03 14:56:53 UTC
+*tomcat-servlet-api-6.0.44 (03 Jun 2015)
+
+  03 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  +tomcat-servlet-api-6.0.44.ebuild, -tomcat-servlet-api-6.0.41.ebuild,
+  -tomcat-servlet-api-6.0.43.ebuild:
+  Tomcat 6.0.44 version bump. Remove vulnerable versions. Fix security bug
+  549536.
+
Comment 5 Patrice Clement gentoo-dev 2015-06-03 14:58:10 UTC
+  03 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  -tomcat-servlet-api-7.0.56.ebuild, -tomcat-servlet-api-7.0.57.ebuild:
+  Remove vulnerable versions < Tomcat 7.0.59. Fix security bug 549536.
+
Comment 6 Patrice Clement gentoo-dev 2015-06-03 15:09:40 UTC
Hi security team

There are no vulnerable versions of Tomcat in the tree. I've bumped Tomcat 6 and while at it, cleaned up the vulnerable versions. However, tomcat 6/7/8 now need stabilising (stabled versions are no more).

Please stabilise:
- www-servers/tomcat-6.0.44.ebuild
- www-servers/tomcat-7.0.59.ebuild
- www-servers/tomcat-8.0.23.ebuild

As well as:
- dev-java/tomcat-servlet-api-6.0.44.ebuild
- dev-java/tomcat-servlet-api-7.0.59.ebuild
- dev-java/tomcat-servlet-api-8.0.23.ebuild

Thanks.
Comment 7 Patrice Clement gentoo-dev 2015-06-03 16:32:51 UTC
+  03 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  +tomcat-servlet-api-6.0.41.ebuild, +tomcat-servlet-api-6.0.43.ebuild,
+  +tomcat-servlet-api-7.0.56.ebuild, +tomcat-servlet-api-7.0.57.ebuild,
+  tomcat-servlet-api-6.0.44.ebuild, tomcat-servlet-api-7.0.59.ebuild,
+  tomcat-servlet-api-8.0.23.ebuild:
+  Restore vulnerable ebuilds until security team stabilise the new version.
+  See bug 549536.
+

+  03 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  +files/tomcat-6.0.41-build.xml.patch, +files/tomcat-6.0.43-build.xml.patch,
+  +files/tomcat-7.0.56-build.xml.patch, +files/tomcat-7.0.57-build.xml.patch,
+  +tomcat-6.0.41.ebuild, +tomcat-6.0.43.ebuild, +tomcat-7.0.56.ebuild,
+  +tomcat-7.0.57.ebuild:
+  Restore vulnerable ebuilds until security team stabilise the new version. See
+  bug 549536.
+

There you go: I've been told not to remove the vulnerable ebuilds until security team say so. I didn't want to cause a stir so I've added back the vulnerable versions. Over to you guys.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-03 21:25:40 UTC
Thanks, 

Arches, please stabilize:
=www-servers/tomcat-6.0.44
Stable targets: amd64 ppc ppc64 x86

=www-servers/tomcat-7.0.59
Stable targets: amd64 ppc ppc64 x86
Comment 9 Patrice Clement gentoo-dev 2015-06-03 21:32:33 UTC
dev-java/tomcat-servlet-api needs stabilisation as well.

=dev-java/tomcat-servlet-api-6.0.44
Stable targets: amd64 ppc ppc64 x86

=dev-java/tomcat-servlet-api-7.0.59
Stable targets: amd64 ppc ppc64 x86

Thanks.
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-05 08:59:38 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-06-05 09:00:35 UTC
x86 stable
Comment 12 Patrice Clement gentoo-dev 2015-06-08 22:31:10 UTC
ping @ppc and @ppc64. Could you please stabilise tomcat-7.0.59.ebuild and tomcat-6.0.44.ebuild? These two are the last missing bit. Thanks!
Comment 13 Sam James archtester gentoo-dev Security 2015-06-09 14:16:31 UTC
Looks like the stabilisations fixed CVE-2014-0230 too.
Comment 14 Agostino Sarubbo gentoo-dev 2015-06-10 15:52:49 UTC
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-06-10 15:53:25 UTC
ppc can't be done because of bug 536888
Comment 16 James Le Cuirot gentoo-dev 2015-06-11 22:51:52 UTC
(In reply to Agostino Sarubbo from comment #15)
> ppc can't be done because of bug 536888

Please reconsider following my comments there. Hopefully you're not able to reproduce that problem any more.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-06-13 07:00:34 UTC
CVE-2014-7810 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7810):
  The Expression Language (EL) implementation in Apache Tomcat 6.x before
  6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider
  the possibility of an accessible interface implemented by an inaccessible
  class, which allows attackers to bypass a SecurityManager protection
  mechanism via a web application that leverages use of incorrect privileges
  during EL evaluation.
Comment 18 Agostino Sarubbo gentoo-dev 2015-06-15 08:27:20 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 19 Patrice Clement gentoo-dev 2015-06-15 08:43:01 UTC
+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  -files/tomcat-6.0.41-build.xml.patch, -files/tomcat-6.0.43-build.xml.patch,
+  -files/tomcat-7.0.56-build.xml.patch, -files/tomcat-7.0.57-build.xml.patch,
+  -tomcat-6.0.41.ebuild, -tomcat-6.0.43.ebuild, -tomcat-7.0.56.ebuild,
+  -tomcat-7.0.57.ebuild:
+  Remove old.
+

+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  -tomcat-servlet-api-6.0.41.ebuild, -tomcat-servlet-api-6.0.43.ebuild,
+  -tomcat-servlet-api-7.0.56.ebuild, -tomcat-servlet-api-7.0.57.ebuild:
+  Remove vulnerable versions. Fix security bug 549536.
+
Comment 20 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-15 13:30:54 UTC
Maintainer and arches, thank you for your work.

GLSA Vote: No
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 02:55:48 UTC
GLSA Vote: No

Thank you all. Closing as noglsa.