Ubuntu
tomcat5.5 package

CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

  1. Maverick (10.10)
  2. Bug #843701
Bug #843701 reported by James Page
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat5.5 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Undecided
Tyler Hicks
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
tomcat6 (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Invalid
Undecided
Marc Deslauriers
Lucid
Fix Released
Undecided
Marc Deslauriers
Maverick
Fix Released
Undecided
Marc Deslauriers
Natty
Fix Released
Undecided
Marc Deslauriers
Oneiric
Fix Released
Undecided
Unassigned
tomcat7 (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned

Bug Description

This CVE will impact pretty much every version of tomcat6 we currently support and tomcat7 in oneiric.

I'm working on a new upstream version of tomcat7 in debian and can do the same with tomcat6 for oneiric but the fix will need backporting to previous releases as well.

>>>>>>>>>>>>>>>>>

CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.20
- Tomcat 6.0.0 to 6.0.33
- Tomcat 5.5.0 to 5.5.33
- Earlier, unsupported versions may also be affected

Description:
Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
Tomcat that includes the first part (or possibly all) of the request
body. In certain circumstances, Tomcat did not process this message as a
request body but as a new request. This permitted an attacker to have
full control over the AJP message which allowed an attacker to (amongst
other things):
- insert the name of an authenticated user
- insert any client IP address (potentially bypassing any client IP
address filtering)
- trigger the mixing of responses between users

The following AJP connector implementations are not affected:
org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)

The following AJP connector implementations are affected:

org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)

Further, this issue only applies if all of the following are are true
for at least one resource:
- POST requests are accepted
- The request body is not processed

Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a version of Apache Tomcat that includes a fix for this
issue when available
- Apply the appropriate patch
  - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
  - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
  - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the
requiredSecret attribute
- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
available for Tomcat 7.0.x)

Credit:
The issue was reported via Apache Tomcat's public issue tracker.
The Apache Tomcat security team strongly discourages reporting of
undisclosed vulnerabilities via public channels. All Apache Tomcat
security vulnerabilities should be reported to the private security team
mailing list: <email address hidden>

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Related branches

lp:~james-page/ubuntu/oneiric/tomcat6/CVE-2011-3190
Dave Walker (community): Approve
Ubuntu branches: Pending requested
Diff: 2811 lines (+2710/-9)
9 files modified
.pc/0013-CVE-2011-3190.patch/java/org/apache/coyote/ajp/AjpAprProcessor.java (+1337/-0)
.pc/0013-CVE-2011-3190.patch/java/org/apache/coyote/ajp/AjpProcessor.java (+1269/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+6/-0)
debian/control (+2/-1)
debian/patches/0013-CVE-2011-3190.patch (+72/-0)
debian/patches/series (+1/-0)
java/org/apache/coyote/ajp/AjpAprProcessor.java (+11/-4)
java/org/apache/coyote/ajp/AjpProcessor.java (+11/-4)
lp:ubuntu/oneiric/tomcat6
lp:debian/tomcat6
lp:~james-page/ubuntu/natty/tomcat6/CVE-2011-3190
lp:~james-page/ubuntu/maverick/tomcat6/CVE-2011-3190
lp:~james-page/ubuntu/lucid/tomcat6/CVE-2011-3190
lp:~james-page/ubuntu/hardy/tomcat5.5/CVE-2011-3190
lp:~james-page/ubuntu/hardy/tomcat6/CVE-2011-3190
lp:ubuntu/hardy-security/tomcat5.5
lp:ubuntu/precise/tomcat6
lp:ubuntu/natty-security/tomcat6
lp:ubuntu/maverick-security/tomcat6
lp:ubuntu/lucid-security/tomcat6

CVE References

James Page (james-page)
visibility: private → public
Revision history for this message
James Page (james-page) wrote :

New upstream release sync for tomcat7 raised under bug 844745

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

tomcat7 was fixed in 7.0.21-1.

Changed in tomcat6 (Ubuntu):
status: New → Confirmed
Changed in tomcat7 (Ubuntu):
status: New → Confirmed
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.32-5ubuntu1

---------------
tomcat6 (6.0.32-5ubuntu1) oneiric; urgency=low

  * Added patch for CVE-2011-3190 (LP: #843701).
 -- James Page <email address hidden> Thu, 08 Sep 2011 14:45:34 +0100

Changed in tomcat6 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
James Page (james-page) wrote :

Nominating for SRU in hardy (backports), lucid, maverick and natty

Revision history for this message
James Page (james-page) wrote :

Marked tasks for tomcat7 pre Oneiric as 'Invalid' as not present in earlier releases.

Changed in tomcat7 (Ubuntu Natty):
status: New → Invalid
Changed in tomcat7 (Ubuntu Maverick):
status: New → Invalid
Changed in tomcat7 (Ubuntu Lucid):
status: New → Invalid
Changed in tomcat7 (Ubuntu Hardy):
status: New → Invalid
Revision history for this message
James Page (james-page) wrote :

Branches linked with -security fixes for natty, maverick and lucid.

Revision history for this message
James Page (james-page) wrote :

Branch linked with -security fix for tomcat5.5 in hardy

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the branches. Tomcat6 updates have already been prepared by the security team, and are currently being tested.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors for the hardy tomcat5.5 update.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors since Marc is handling this as part of his update.

Changed in tomcat6 (Ubuntu Lucid):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat6 (Ubuntu Maverick):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat6 (Ubuntu Natty):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tomcat6 (Ubuntu Hardy):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Added tomcat5.5 task and re-subscribed ubuntu-security-sponsors since there's a tomcat5.5 branch linked here for sponsoring.

Changed in tomcat5.5 (Ubuntu Lucid):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Maverick):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Natty):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Oneiric):
status: New → Invalid
Changed in tomcat5.5 (Ubuntu Hardy):
status: New → Confirmed
Tyler Hicks (tyhicks)
Changed in tomcat6 (Ubuntu Hardy):
status: In Progress → Invalid
Changed in tomcat6 (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in tomcat6 (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in tomcat6 (Ubuntu Natty):
status: In Progress → Fix Committed
Tyler Hicks (tyhicks)
Changed in tomcat5.5 (Ubuntu Hardy):
assignee: nobody → Tyler Hicks (tyhicks)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat5.5 - 5.5.25-5ubuntu1.3

---------------
tomcat5.5 (5.5.25-5ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: Apache Tomcat Authentication bypass and information
    disclosure (LP: #843701).
   - connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java: Prevent AJP
     request forgery via unread request body packet - upstream patch from Mark
     Thomas
   - http://svn.apache.org/viewvc?view=revision&revision=1162960
   - CVE-2011-3190
 -- James Page <email address hidden> Mon, 26 Sep 2011 11:42:02 +0100

Changed in tomcat5.5 (Ubuntu Hardy):
status: In Progress → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks again for the tomcat5.5 Hardy branch, James! As you probably noticed, I touched up the changelog a little bit to add in the upstream author and a link to the upstream patch. Everything else looked great and the updated package should now be available.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Removing ubuntu-security-sponsors. tomcat5.5 is processed and tomcat6 is pending in the security ppa.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-10ubuntu2.2

---------------
tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:27:14 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.5

---------------
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * This package does _not_ contain the changes that were in
    6.0.28-2ubuntu1.3 in -proposed.
 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:48:20 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.9

---------------
tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:53:28 -0400

Changed in tomcat6 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in tomcat6 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in tomcat6 (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.