Bug 19828

Summary:	tomcat new security issues CVE-2016-6816 and CVE-2016-8735
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	brtians1, geiger.david68210, lewyssmith, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	has_procedure mga5-32-ok advisory MGA5-64-OK
Source RPM:	tomcat-8.0.38-1.mga6.src.rpm	CVE:
Status comment:

Description David Walser 2016-11-22 17:24:26 CET

Upstream has issued advisories today (November 22):
http://openwall.com/lists/oss-security/2016/11/22/16
http://openwall.com/lists/oss-security/2016/11/22/17

The issues are fixed in 7.0.73 and 8.0.39:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39

Mageia 5 is also affected.

David Walser 2016-11-22 17:24:36 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2016-12-01 15:57:42 CET

Freeze push requested for cauldron and fixed for mga5!

Comment 2 David Walser 2016-12-01 16:02:54 CET

Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

The code that parsed the HTTP request line permitted invalid characters. This
could be exploited, in conjunction with a proxy that also permitted the invalid
characters but with a different interpretation, to inject data into the HTTP
response. By manipulating the HTTP response the attacker could poison a
web-cache, perform an XSS attack and/or obtain sensitive information from
requests other then their own (CVE-2016-6816).

The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix
for CVE-2016-3427. Therefore, Tomcat installations using this listener remained
vulnerable to a similar remote code execution vulnerability. This issue has been
rated as important rather than critical due to the small number of installations
using this listener and that it would be highly unusual for the JMX ports to be
accessible to an attacker even when the listener is used (CVE-2016-8735).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735
http://openwall.com/lists/oss-security/2016/11/22/16
http://openwall.com/lists/oss-security/2016/11/22/17
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.73-1.mga5
tomcat-admin-webapps-7.0.73-1.mga5
tomcat-docs-webapp-7.0.73-1.mga5
tomcat-javadoc-7.0.73-1.mga5
tomcat-jsvc-7.0.73-1.mga5
tomcat-jsp-2.2-api-7.0.73-1.mga5
tomcat-lib-7.0.73-1.mga5
tomcat-servlet-3.0-api-7.0.73-1.mga5
tomcat-el-2.2-api-7.0.73-1.mga5
tomcat-webapps-7.0.73-1.mga5

tomcat-7.0.73-1.mga5.src.rpm

CC: (none) => geiger.david68210
Version: Cauldron => 5
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA5TOO => (none)

David Walser 2016-12-01 16:03:00 CET

Whiteboard: (none) => has_procedure

Comment 3 Brian Rockwell 2016-12-03 04:03:57 CET

The following 41 packages are going to be installed:

- apache-commons-collections-3.2.2-1.mga5.noarch
- apache-commons-daemon-1.0.15-5.mga5.i586
- apache-commons-daemon-jsvc-1.0.15-5.mga5.i586
- apache-commons-dbcp-1.4-19.mga5.noarch
- apache-commons-logging-1.1.3-8.mga5.noarch
- apache-commons-pool-1.6-10.mga5.noarch
- copy-jdk-configs-1.2-1.mga5.noarch
- ecj-4.4.0-1.mga5.noarch
- geronimo-jms-1.1.1-16.mga5.noarch
- geronimo-jta-1.1.1-14.mga5.noarch
- jakarta-taglibs-standard-1.1.2-15.mga5.noarch
- java-1.8.0-openjdk-1.8.0.111-1.b16.1.mga5.i586
- java-1.8.0-openjdk-headless-1.8.0.111-1.b16.1.mga5.i586
- javamail-1.5.1-1.mga5.noarch
- javapackages-tools-4.1.0-15.1.mga5.noarch
- liblog4j12-java-1.2.17-7.mga5.noarch
- libsctp1-1.0.11-5.mga5.i586
- lksctp-tools-1.0.11-5.mga5.i586
- lua-5.2.3-6.mga5.i586
- lua-posix-33.3.1-1.mga5.i586
- python-javapackages-4.1.0-15.1.mga5.noarch
- python-lxml-3.3.6-4.mga5.i586
- python-pyxb-1.2.3-4.mga5.noarch
- rootcerts-java-20160922.00-1.mga5.noarch
- timezone-java-2016i-4.mga5.noarch
- tomcat-7.0.73-1.mga5.noarch
- tomcat-admin-webapps-7.0.73-1.mga5.noarch
- tomcat-docs-webapp-7.0.73-1.mga5.noarch
- tomcat-el-2.2-api-7.0.73-1.mga5.noarch
- tomcat-jsp-2.2-api-7.0.73-1.mga5.noarch
- tomcat-jsvc-7.0.73-1.mga5.noarch
- tomcat-lib-7.0.73-1.mga5.noarch
- tomcat-servlet-3.0-api-7.0.73-1.mga5.noarch
- tomcat-webapps-7.0.73-1.mga5.noarch
- x11-font-bitstream-type1-1.0.3-5.mga5.noarch
- x11-font-type1-1.0.0-12.mga5.noarch
- x11-font-xfree86-type1-1.0.4-5.mga5.noarch
- xalan-j2-2.7.1-10.mga5.noarch
- xerces-j2-2.11.0-14.1.mga5.noarch
- xml-commons-apis-1.4.01-18.mga5.noarch
- xml-commons-resolver-1.2-16.mga5.noarch

193MB of additional disk space will be used.

47MB of packages will be retrieved.

Is it ok to continue?


REbooted my VM.

$ ps -ef | grep tomcat

tomcat    1338     1  6 20:56 ?        00:00:16 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

from firefox:  http://127.0.0.1:8080/sample/

displaying the JSP and servlet pages fine.

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure mga5-32-ok

Comment 4 Lewis Smith 2016-12-05 21:43:05 CET

Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: has_procedure mga5-32-ok => has_procedure mga5-32-ok advisory

Comment 5 Lewis Smith 2016-12-11 19:50:09 CET

Testing MGA5 x64

Both CVEs currently just Reserved; I could find no test case.

Updated existing tomcat installation to:
 tomcat-7.0.73-1.mga5
 tomcat-admin-webapps-7.0.73-1.mga5
 tomcat-el-2.2-api-7.0.73-1.mga5
 tomcat-jsp-2.2-api-7.0.73-1.mga5
 tomcat-lib-7.0.73-1.mga5
 tomcat-servlet-3.0-api-7.0.73-1.mga5
 tomcat-webapps-7.0.73-1.mga5

/etc/tomcat/tomcat-users.xml
...
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
...
 <role rolename="manager-gui"/>
 <user username="***" password="***" roles="manager-gui"/>
...

 http://localhost:8080/
Showed the correct Tomcat home page:
"Apache Tomcat/7.0.73
If you're seeing this, you've successfully installed Tomcat. Congratulations!"

The 'Server status' link from that
 http://localhost:8080/manager/status
showed a correct "Server Status" page.

The 'Manager app' link on the home page
 http://localhost:8080/manager/html
asked for [implied "manager-gui"] username/password login, then showed a good "Tomcat Web Application Manager" page which includes the two test links:

 http://localhost:8080/sample/
which both worked.
&
 http://localhost:8080/examples/
of which I tried a lot of the examples, OK as far as I could see.

OKing & validating.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-32-ok advisory => has_procedure mga5-32-ok advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-12-11 23:44:44 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0417.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED