Re: [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure

[Henri Salo <henri () nerv fi>]

On Wed, Aug 31, 2011 at 01:22:51PM +0300, Henri Salo wrote:
> On Mon, Aug 29, 2011 at 08:52:00PM +0100, Mark Thomas wrote:
> > CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
> >
> > Severity: Important
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected:
> > - Tomcat 7.0.0 to 7.0.20
> > - Tomcat 6.0.0 to 6.0.33
> > - Tomcat 5.5.0 to 5.5.33
> > - Earlier, unsupported versions may also be affected
> >
> > Description:
> > Apache Tomcat supports the AJP protocol which is used with reverse
> > proxies to pass requests and associated data about the request from the
> > reverse proxy to Tomcat. The AJP protocol is designed so that when a
> > request includes a request body, an unsolicited AJP message is sent to
> > Tomcat that includes the first part (or possibly all) of the request
> > body. In certain circumstances, Tomcat did not process this message as a
> > request body but as a new request. This permitted an attacker to have
> > full control over the AJP message which allowed an attacker to (amongst
> > other things):
> > - insert the name of an authenticated user
> > - insert any client IP address (potentially bypassing any client IP
> > address filtering)
> > - trigger the mixing of responses between users
> >
> > The following AJP connector implementations are not affected:
> > org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)
> >
> > The following AJP connector implementations are affected:
> >
> > org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
> > org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
> > org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)
> >
> > Further, this issue only applies if all of the following are are true
> > for at least one resource:
> > - POST requests are accepted
> > - The request body is not processed
> >
> >
> > Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
> >
> > Mitigation:
> > Users of affected versions should apply one of the following mitigations:
> > - Upgrade to a version of Apache Tomcat that includes a fix for this
> > issue when available
> > - Apply the appropriate patch
> >   - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
> >   - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
> >   - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
> > - Configure the reverse proxy and Tomcat's AJP connector(s) to use the
> > requiredSecret attribute
> > - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not
> > available for Tomcat 7.0.x)
> >
> > Credit:
> > The issue was reported via Apache Tomcat's public issue tracker.
> > The Apache Tomcat security team strongly discourages reporting of
> > undisclosed vulnerabilities via public channels. All Apache Tomcat
> > security vulnerabilities should be reported to the private security team
> > mailing list: security () tomcat apache org
> >
> > References:
> > http://tomcat.apache.org/security.html
> > http://tomcat.apache.org/security-7.html
> > http://tomcat.apache.org/security-6.html
> > http://tomcat.apache.org/security-5.html
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>
> Do you have any information when the supported security release is going to be announced? Patching production using 
> diff from SVN is not usually very nice :)
>
> Best regards,
> Henri Salo

Version 7.0.21 is available:

http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/download-70.cgi

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/