| Summary: | tomcat new security issues CVE-2016-0762, CVE-2016-5018, CVE-2016-679[467] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/705822/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | tomcat-7.0.68-1.3.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-10-27 15:32:43 CEST
Fixed! updating to 7.0.72 Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder (CVE-2016-0762). A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications (CVE-2016-5018). It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges (CVE-2016-5425). It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges (CVE-2016-6325). When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible (CVE-2016-6794). A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet (CVE-2016-6796). The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not (CVE-2016-6797). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797 http://openwall.com/lists/oss-security/2016/10/27/7 http://openwall.com/lists/oss-security/2016/10/27/8 http://openwall.com/lists/oss-security/2016/10/27/9 http://openwall.com/lists/oss-security/2016/10/27/10 http://openwall.com/lists/oss-security/2016/10/27/11 https://rhn.redhat.com/errata/RHSA-2016-2046.html ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.72-1.mga5 tomcat-admin-webapps-7.0.72-1.mga5 tomcat-docs-webapp-7.0.72-1.mga5 tomcat-javadoc-7.0.72-1.mga5 tomcat-jsvc-7.0.72-1.mga5 tomcat-jsp-2.2-api-7.0.72-1.mga5 tomcat-lib-7.0.72-1.mga5 tomcat-servlet-3.0-api-7.0.72-1.mga5 tomcat-el-2.2-api-7.0.72-1.mga5 tomcat-webapps-7.0.72-1.mga5 from tomcat-7.0.72-1.mga5.src.rpm Assignee:
geiger.david68210 =>
qa-bugs *** Bug 19560 has been marked as a duplicate of this bug. *** Tested Mageia 5 x64, all data from the duplicate bug: https://bugs.mageia.org/show_bug.cgi?id=19560 and particularly Comment 9 Comment 10 Comment 13 where Len found a PoC and demonstrated that the update fixes that problem. Many thanks for that. That other bug shows that the web interface http://localhost:8080/ samples http://localhost:8080/sample & tests http://localhost:8080/examples work (mostly) after suitable adaptation of the config file /etc/tomcat/tomcat-users.xml as per the test link given: "uncomment the users, adding manager-gui role to one of them". I added: <role rolename="manager-gui"/> <user username="[...]" password="[...]" roles="manager-gui"/> The only doubt was the lack of 'logout' from the manage page. Returning to the "Manager App" button on the main entry page, which on first usage asks for user & password login, subsequently often goes straight to the manage page *without* the login. However, re-trying this after a re-boot, it did not happen. Nor with Firefox now after simply re-starting the browser. So I count this a red herring, and OK this for 64-bit. @Len : were any of your tests on 32-bit? If so, please OK that. CC:
(none) =>
lewyssmith @lewis : no, I gave up on it when I could no longer switch roles. CC:
(none) =>
tarazed25 Advisory uploaded. Whiteboard:
MGA5-64-OK =>
MGA5-64-OK advisory MGA5-32 on Acer D620 Xfce No installation issues Completed tests as indicated in Comment 4, no remarks to be added. CC:
(none) =>
herman.viaene
Herman Viaene
2016-11-04 10:30:19 CET
Whiteboard:
MGA5-64-OK MGA-5-32-OK advisory =>
MGA5-64-OK MGA5-32-OK advisory Validating. Advisory already in place. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0367.html Status:
NEW =>
RESOLVED
David Walser
2016-11-07 18:38:54 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/705822/ |