CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

Bug #843701 reported by James Page on 2011-09-07
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat5.5 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Tyler Hicks
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
tomcat6 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Maverick
Undecided
Marc Deslauriers
Natty
Undecided
Marc Deslauriers
Oneiric
Undecided
Unassigned
tomcat7 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned

Bug Description

This CVE will impact pretty much every version of tomcat6 we currently support and tomcat7 in oneiric.

I'm working on a new upstream version of tomcat7 in debian and can do the same with tomcat6 for oneiric but the fix will need backporting to previous releases as well.

>>>>>>>>>>>>>>>>>

CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.20
- Tomcat 6.0.0 to 6.0.33
- Tomcat 5.5.0 to 5.5.33
- Earlier, unsupported versions may also be affected

Description:
Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
Tomcat that includes the first part (or possibly all) of the request
body. In certain circumstances, Tomcat did not process this message as a
request body but as a new request. This permitted an attacker to have
full control over the AJP message which allowed an attacker to (amongst
other things):
- insert the name of an authenticated user
- insert any client IP address (potentially bypassing any client IP
address filtering)
- trigger the mixing of responses between users

The following AJP connector implementations are not affected:
org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)

The following AJP connector implementations are affected:

org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)

Further, this issue only applies if all of the following are are true
for at least one resource:
- POST requests are accepted
- The request body is not processed

Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a version of Apache Tomcat that includes a fix for this
issue when available
- Apply the appropriate patch
  - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
  - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
  - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the
requiredSecret attribute
- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
available for Tomcat 7.0.x)

Credit:
The issue was reported via Apache Tomcat's public issue tracker.
The Apache Tomcat security team strongly discourages reporting of
undisclosed vulnerabilities via public channels. All Apache Tomcat
security vulnerabilities should be reported to the private security team
mailing list: <email address hidden>

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Related branches

James Page (james-page) on 2011-09-08
visibility: private → public
James Page (james-page) wrote :

New upstream release sync for tomcat7 raised under bug 844745

Jamie Strandboge (jdstrand) wrote :

tomcat7 was fixed in 7.0.21-1.

Changed in tomcat6 (Ubuntu):
status: New → Confirmed
Changed in tomcat7 (Ubuntu):
status: New → Confirmed
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.32-5ubuntu1

---------------
tomcat6 (6.0.32-5ubuntu1) oneiric; urgency=low

  * Added patch for CVE-2011-3190 (LP: #843701).
 -- James Page <email address hidden> Thu, 08 Sep 2011 14:45:34 +0100

Changed in tomcat6 (Ubuntu):
status: Confirmed → Fix Released
James Page (james-page) wrote :

Nominating for SRU in hardy (backports), lucid, maverick and natty

James Page (james-page) wrote :

Marked tasks for tomcat7 pre Oneiric as 'Invalid' as not present in earlier releases.

Changed in tomcat7 (Ubuntu Natty):
status: New → Invalid
Changed in tomcat7 (Ubuntu Maverick):
status: New → Invalid
Changed in tomcat7 (Ubuntu Lucid):
status: New → Invalid
Changed in tomcat7 (Ubuntu Hardy):
status: New → Invalid
James Page (james-page) wrote :

Branches linked with -security fixes for natty, maverick and lucid.

James Page (james-page) wrote :

Branch linked with -security fix for tomcat5.5 in hardy

Marc Deslauriers (mdeslaur) wrote :

Thanks for the branches. Tomcat6 updates have already been prepared by the security team, and are currently being tested.

Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors for the hardy tomcat5.5 update.

Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors since Marc is handling this as part of his update.

Changed in tomcat6 (Ubuntu Lucid):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat6 (Ubuntu Maverick):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat6 (Ubuntu Natty):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat6 (Ubuntu Hardy):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur) wrote :

Added tomcat5.5 task and re-subscribed ubuntu-security-sponsors since there's a tomcat5.5 branch linked here for sponsoring.

Changed in tomcat5.5 (Ubuntu Lucid):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Maverick):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Natty):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Oneiric):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Hardy):
status: New → Confirmed
Tyler Hicks (tyhicks) on 2011-10-06
Changed in tomcat6 (Ubuntu Hardy):
status: In Progress → Invalid
Changed in tomcat6 (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in tomcat6 (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in tomcat6 (Ubuntu Natty):
status: In Progress → Fix Committed
Tyler Hicks (tyhicks) on 2011-10-11
Changed in tomcat5.5 (Ubuntu Hardy):
assignee: nobody → Tyler Hicks (tyhicks)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat5.5 - 5.5.25-5ubuntu1.3

---------------
tomcat5.5 (5.5.25-5ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: Apache Tomcat Authentication bypass and information
    disclosure (LP: #843701).
   - connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java: Prevent AJP
     request forgery via unread request body packet - upstream patch from Mark
     Thomas
   - http://svn.apache.org/viewvc?view=revision&revision=1162960
   - CVE-2011-3190
 -- James Page <email address hidden> Mon, 26 Sep 2011 11:42:02 +0100

Changed in tomcat5.5 (Ubuntu Hardy):
status: In Progress → Fix Released
Tyler Hicks (tyhicks) wrote :

Thanks again for the tomcat5.5 Hardy branch, James! As you probably noticed, I touched up the changelog a little bit to add in the upstream author and a link to the upstream patch. Everything else looked great and the updated package should now be available.

Jamie Strandboge (jdstrand) wrote :

Removing ubuntu-security-sponsors. tomcat5.5 is processed and tomcat6 is pending in the security ppa.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-10ubuntu2.2

---------------
tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:27:14 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.5

---------------
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * This package does _not_ contain the changes that were in
    6.0.28-2ubuntu1.3 in -proposed.
 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:48:20 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.9

---------------
tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:53:28 -0400

Changed in tomcat6 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in tomcat6 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in tomcat6 (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers