Tomcat needs update to prevent hash function DoS attack

Bug #909828 reported by Sami Mäkinen on 2011-12-29
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Undecided
Unassigned

Bug Description

http://www.ocert.org/advisories/ocert-2011-003.html

Natty, Oneiric and any other still supported Ubuntu versions should upgrade to Tomcat version 6.0.35, to protect against the rather nasty attack described in the above security advisory.

Tomcat7 should be upgraded to 7.0.23.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: tomcat6 (not installed)
ProcVersionSignature: Ubuntu 3.0.0-14.23-generic 3.0.9
Uname: Linux 3.0.0-14-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Thu Dec 29 20:20:29 2011
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: tomcat6
UpgradeStatus: No upgrade log present (probably fresh install)

visibility: private → public
Changed in tomcat6 (Ubuntu Precise):
status: New → Fix Released
Changed in tomcat6 (Ubuntu Lucid):
status: New → Confirmed
Changed in tomcat6 (Ubuntu Maverick):
status: New → Confirmed
Changed in tomcat6 (Ubuntu Natty):
status: New → Confirmed
Changed in tomcat6 (Ubuntu Oneiric):
status: New → Confirmed
Changed in tomcat6 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in tomcat6 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in tomcat6 (Ubuntu Natty):
importance: Undecided → Medium
Changed in tomcat6 (Ubuntu Oneiric):
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :

There are now updated tomcat6 packages that fix this issue, and CVE-2012-0022 in -proposed. Since the patch is quite intrusive, they will stay in -proposed until they get some testing.

If you would like to help, please enable -proposed, test the updates, and post your results here.

Thanks.

James Page (james-page) wrote :

Testing completed in oneiric:

Installed tomcat6
Installed jenkins-tomcat
Installed solr-tomcat

Verified that both jenkins and solr where functional on current published packages.

Added -proposed and upgraded to version of tomcat6 in -proposed.

Revalidated that both jenkins and solr where still functional - all looked OK to me.

solr is quite intensive on use of parameters so felt like a reasonable test case.

James Page (james-page) wrote :

Testing completed in lucid:

Installed tomcat6
Installed solr-tomcat

Verified that solr was functional on current published packages.

Added -proposed and upgraded to version of tomcat6 in -proposed.

Revalidated that solr was still functional - all looked OK to me.

Marc Deslauriers (mdeslaur) wrote :

SRU team: This is a security update. If the packages have the required testing to publish, please let the security team know so we can publish the USN and push it to -security also. Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.10

---------------
tomcat6 (6.0.24-2ubuntu1.10) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 14:35:46 -0500

Changed in tomcat6 (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.6

---------------
tomcat6 (6.0.28-2ubuntu1.6) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 14:09:00 -0500

Changed in tomcat6 (Ubuntu Maverick):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-10ubuntu2.3

---------------
tomcat6 (6.0.28-10ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 13:42:23 -0500

Changed in tomcat6 (Ubuntu Natty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.32-5ubuntu1.2

---------------
tomcat6 (6.0.32-5ubuntu1.2) oneiric-security; urgency=low

  * SECURITY UPDATE: cross-request information leakage
    - debian/patches/0016-CVE-2011-3375.patch: ensure that the request and
      response objects are recycled after being re-populated in
      java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2011-3375
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0017-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FilterBase.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/filter.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 09:00:23 -0500

Changed in tomcat6 (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers