Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627514 (CVE-2017-7674) - <www-servers/tomcat-{7.0.79, 8.0.45}: Apache Tomcat Cache Poisoning (CVE-2017-7674)
Summary: <www-servers/tomcat-{7.0.79, 8.0.45}: Apache Tomcat Cache Poisoning (CVE-2017...
Status: RESOLVED FIXED
Alias: CVE-2017-7674
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bz.apache.org/bugzilla/show_b...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-11 04:16 UTC by D'juan McDonald (domhnall)
Modified: 2017-09-10 06:54 UTC (History)
1 user (show)

See Also:
Package list:
www-servers/tomcat-7.0.79 www-servers/tomcat-8.0.45 dev-java/tomcat-servlet-api-7.0.79 dev-java/tomcat-servlet-api-8.0.45
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-11 04:16:34 UTC
From $URL:

The Tomcat CorsFilter does not add a Vary header to the response to indicate that the response can vary for different values of the Origin header in the request. This poses problems for caches, as they can yield cached Tomcat responses where they shouldn't because they don't know that a different Origin value may yield a different response.

The filter should add the Origin value to the Vary header of the response.

Per the CORS standard (https://www.w3.org/TR/cors/#resource-implementation):
"Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins."

Found this on multiple versions of the Tomcat CorsFilter (7, 8.0 and 8.5). A quick code inspection shows that this isn't present in /trunk either.

Found with multiple Java versions, at least including Oracle JDK 8u131 64-bit on Windows 10 64-bit. Seems to be unrelated to the connectors (found on the HTTP NIO and BIO connectors)

To reproduce, enable the CorsFilter in Tomcat's web.xml, and send an HTTP request that includes both a Host and an Origin header, where the Origin should be different than the Host, and should be a value that is configured to be allowed by the CorsFilter. Inspect the response headers. A 'Vary: Origin' header should be in the response, but isn't.

 

Gentoo Security Scout

MBailey_J
Comment 1 D'juan McDonald (domhnall) 2017-08-22 13:03:42 UTC
@security,
Comment 2 D'juan McDonald (domhnall) 2017-08-22 13:11:10 UTC
@maintainer(s), please call for stabilization and/or follow procedure to close on report. Thank You.

Daj'Uan (mbailey_J)
Gentoo Security Scout
Comment 3 Miroslav Šulc gentoo-dev 2017-08-22 18:28:00 UTC
i stabilized slots 7 a 8 on amd64:

commit acbf4a912e859f8a7361d419544fde06ca45462e (HEAD -> master, origin/master, origin/HEAD)
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue Aug 22 20:24:42 2017 +0200

    www-servers/tomcat: marked stable amd64 per bug #627514
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 www-servers/tomcat/tomcat-7.0.79.ebuild | 2 +-
 www-servers/tomcat/tomcat-8.0.45.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 720ce827120c44680530f02f912f50d1482badf5
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue Aug 22 20:23:40 2017 +0200

    dev-java/tomcat-servlet-api: marked stable amd64 per bug #627514
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.79.ebuild | 2 +-
 dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.45.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


but i don't have access to x86 machine though i suppose it should work aswell.
Comment 4 D'juan McDonald (domhnall) 2017-08-22 18:39:51 UTC
@fordfrog, thank you... @arches, please test to stabilize, thank you.
Comment 5 D'juan McDonald (domhnall) 2017-08-22 22:21:20 UTC
@Security, please follow procedure to close on report, thank you.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-08-29 20:44:55 UTC
x86 stable
Comment 7 Miroslav Šulc gentoo-dev 2017-09-10 06:32:52 UTC
i've just removed the old affected versions from the tree:

commit 55b14158b82577af855f072f5120628b6d4db2de (HEAD -> master, origin/master, origin/HEAD)
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Sun Sep 10 08:24:24 2017 +0200

    dev-java/tomcat-servlet-api: removed old versions
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

dev-java/tomcat-servlet-api/Manifest
dev-java/tomcat-servlet-api/tomcat-servlet-api-7.0.77.ebuild
dev-java/tomcat-servlet-api/tomcat-servlet-api-8.0.43.ebuild

commit 96b634bd2d58335c66299b60325ec5d70f608b6f
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Sun Sep 10 08:20:46 2017 +0200

    www-servers/tomcat: removed old security affected versions
    
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

www-servers/tomcat/Manifest
www-servers/tomcat/files/tomcat-7.0.77-build.xml.patch
www-servers/tomcat/files/tomcat-8.0.43-build.xml.patch
www-servers/tomcat/tomcat-7.0.77.ebuild
www-servers/tomcat/tomcat-8.0.43.ebuild
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-10 06:54:37 UTC
Maintainer(s), Thank you for your work.
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].