CVE-2009-0781: XSS in tomcat6 and tomcat5.5

Bug #341278 reported by Jamie Strandboge on 2009-03-11
258
Affects Status Importance Assigned to Milestone
tomcat5.5 (Ubuntu)
Low
Unassigned
Gutsy
Low
Unassigned
Hardy
Low
Unassigned
Intrepid
Low
Unassigned
Jaunty
Low
Unassigned
tomcat6 (Debian)
Fix Released
Unknown
tomcat6 (Ubuntu)
Low
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Low
Unassigned
Jaunty
Low
Unassigned

Bug Description

Binary package hint: tomcat6

PublicDate: 2009-03-09
References:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
Description:
 Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the
 calendar application in the examples web application in Apache Tomcat 4.1.0
 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows
 remote attackers to inject arbitrary web script or HTML via the time
 parameter, related to "invalid HTML."

Changed in tomcat6:
status: New → Confirmed
status: New → Confirmed
status: New → Invalid
status: New → Invalid
Changed in tomcat5.5:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Kees Cook (kees) on 2009-04-16
Changed in tomcat5.5 (Ubuntu Gutsy):
importance: Undecided → Low
Changed in tomcat5.5 (Ubuntu Hardy):
importance: Undecided → Low
Changed in tomcat5.5 (Ubuntu Intrepid):
importance: Undecided → Low
Changed in tomcat5.5 (Ubuntu Jaunty):
importance: Undecided → Low
Changed in tomcat6 (Ubuntu Intrepid):
importance: Undecided → Low
Changed in tomcat6 (Ubuntu Jaunty):
importance: Undecided → Low
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in tomcat5.5 (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu3.2

---------------
tomcat6 (6.0.18-0ubuntu3.2) intrepid-security; urgency=low

  * SECURITY UPDATE: security bypass via specially crafted request
    - debian/patches/security-CVE-2008-5515.patch: use only a single
      normalise implementation in:
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
      java/org/apache/catalina/util/RequestUtil.java,
      java/org/apache/naming/resources/FileDirContext.java
    - CVE-2008-5515
  * SECURITY UPDATE: denial of service via request with invalid headers
    - debian/patches/security-CVE-2009-0033.patch: make sure we return
      400 to the browser in
      java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
    - CVE-2009-0033
  * SECURITY UPDATE: valid username enumeration via improper error checking
    - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
      credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
    - CVE-2009-0580
  * SECURITY UPDATE: cross-site scripting in calendar example application
    (LP: #341278)
    - debian/patches/security-CVE-2009-0781.patch: properly quote value in
      webapps/examples/jsp/cal/cal2.jsp
    - CVE-2009-0781
  * SECURITY UPDATE: information disclosure via XML parser replacement
    - debian/patches/security-CVE-2009-0783.patch: create digesters and
      parsers earlier and don't use xml-parser from web-app in
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
    - CVE-2009-0783

 -- Marc Deslauriers <email address hidden> Wed, 10 Jun 2009 09:46:33 -0400

Changed in tomcat6 (Ubuntu Intrepid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu6.1

---------------
tomcat6 (6.0.18-0ubuntu6.1) jaunty-security; urgency=low

  * SECURITY UPDATE: security bypass via specially crafted request
    - debian/patches/security-CVE-2008-5515.patch: use only a single
      normalise implementation in:
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
      java/org/apache/catalina/util/RequestUtil.java,
      java/org/apache/naming/resources/FileDirContext.java
    - CVE-2008-5515
  * SECURITY UPDATE: denial of service via request with invalid headers
    - debian/patches/security-CVE-2009-0033.patch: make sure we return
      400 to the browser in
      java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
    - CVE-2009-0033
  * SECURITY UPDATE: valid username enumeration via improper error checking
    - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
      credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
    - CVE-2009-0580
  * SECURITY UPDATE: cross-site scripting in calendar example application
    (LP: #341278)
    - debian/patches/security-CVE-2009-0781.patch: properly quote value in
      webapps/examples/jsp/cal/cal2.jsp
    - CVE-2009-0781
  * SECURITY UPDATE: information disclosure via XML parser replacement
    - debian/patches/security-CVE-2009-0783.patch: create digesters and
      parsers earlier and don't use xml-parser from web-app in
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
    - CVE-2009-0783

 -- Marc Deslauriers <email address hidden> Wed, 10 Jun 2009 08:31:31 -0400

Changed in tomcat6 (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in tomcat6 (Debian):
status: Unknown → Fix Released
Changed in tomcat6 (Ubuntu):
status: Confirmed → Fix Released
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug is still marked as confirmed in later versions of Ubuntu.

Changed in tomcat5.5 (Ubuntu Intrepid):
status: Confirmed → Invalid
Jamie Strandboge (jdstrand) wrote :

Jaunty is EOL.

Changed in tomcat5.5 (Ubuntu Jaunty):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Marking parent task as "Won't Fix" since it tracks Jaunty, but leaving Hardy. On Hardy, this package is in universe and is community supported. If someone is able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

Changed in tomcat5.5 (Ubuntu):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in tomcat5.5 (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.