| Summary: | tomcat new security issue CVE-2017-7674 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | geiger.david68210, lewyssmith, mageia, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | tomcat-8.0.44-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-09-16 04:45:45 CEST
David Walser
2017-09-16 04:46:00 CEST
CC:
(none) =>
mageia Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances (CVE-2017-7674). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/ ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.81-1.mga5 tomcat-admin-webapps-7.0.81-1.mga5 tomcat-docs-webapp-7.0.81-1.mga5 tomcat-javadoc-7.0.81-1.mga5 tomcat-jsvc-7.0.81-1.mga5 tomcat-jsp-2.2-api-7.0.81-1.mga5 tomcat-lib-7.0.81-1.mga5 tomcat-servlet-3.0-api-7.0.81-1.mga5 tomcat-el-2.2-api-7.0.81-1.mga5 tomcat-webapps-7.0.81-1.mga5 tomcat-8.0.46-1.mga6 tomcat-admin-webapps-8.0.46-1.mga6 tomcat-docs-webapp-8.0.46-1.mga6 tomcat-javadoc-8.0.46-1.mga6 tomcat-jsvc-8.0.46-1.mga6 tomcat-jsp-2.3-api-8.0.46-1.mga6 tomcat-lib-8.0.46-1.mga6 tomcat-servlet-3.1-api-8.0.46-1.mga6 tomcat-el-3.0-api-8.0.46-1.mga6 tomcat-webapps-8.0.46-1.mga6 from SRPMS: tomcat-7.0.81-1.mga5.src.rpm tomcat-8.0.46-1.mga6.src.rpm CC:
(none) =>
geiger.david68210 Testing M6/64 Already has Tomcat installed, so updated to: tomcat-webapps-7.0.81-1.mga5 tomcat-lib-7.0.81-1.mga5 tomcat-el-2.2-api-7.0.81-1.mga5 tomcat-7.0.81-1.mga5 tomcat-servlet-3.0-api-7.0.81-1.mga5 tomcat-admin-webapps-7.0.81-1.mga5 tomcat-jsp-2.2-api-7.0.81-1.mga5 This time I ensured that my defined user could do both these roles in /etc/tomcat/tomcat-users.xml <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user username="<usr>" password="<password>" roles="manager-gui,admin-gui"/> Using https://bugs.mageia.org/show_bug.cgi?id=21131#c7 as a reference: # systemctl restart tomcat http://localhost:8080/ showed the "Apache Tomcat/7.0.81" page. http://localhost:8080/manager/status [= server status link on home page] asks for the 'manager-gui' username/password, then shows a valid "Server Status" page. http://localhost:8080/manager/html [= Manager App link on home page] shows the "Tomcat Web Application Manager" page, including the test links: http://localhost:8080/sample/ http://localhost:8080/examples/ Tried many of these, all worked. http://localhost:8080/host-manager/html shows "Tomcat Virtual Host Manager" page. Everything looks OK. Keywords:
(none) =>
advisory Testing M6/64 BEFORE update: Installed as issued: tomcat-el-3.0-api-8.0.44-1.mga6 tomcat-8.0.44-1.mga6 tomcat-webapps-8.0.44-1.mga6 tomcat-lib-8.0.44-1.mga6 tomcat-servlet-3.1-api-8.0.44-1.mga6 tomcat-jsvc-8.0.44-1.mga6 tomcat-jsp-2.3-api-8.0.44-1.mga6 tomcat-admin-webapps-8.0.44-1.mga6 The installation of tomcat itself showed: "Failed to open 'tomcat.conf': No such file or directory" which does not matter, but is not encouraging. Edited /etc/tomcat/tomcat-users.xml <role rolename="admin-gui"/> [uncomment] <role rolename="manager-gui"/> [uncomment] <user username="..." password="..." roles="manager-gui,admin-gui"/> # systemctl restart tomcat http://localhost:8080/ -> "Apache Tomcat/8.0.44" page. Tried a couple of the top-right buttons, they asked for the user/password, that worked. ---------------------------------- AFTER update: tomcat-jsvc-8.0.46-1.mga6 tomcat-jsp-2.3-api-8.0.46-1.mga6 tomcat-el-3.0-api-8.0.46-1.mga6 tomcat-admin-webapps-8.0.46-1.mga6 tomcat-lib-8.0.46-1.mga6 tomcat-8.0.46-1.mga6 tomcat-servlet-3.1-api-8.0.46-1.mga6 tomcat-webapps-8.0.46-1.mga6 http://localhost:8080/ -> "Apache Tomcat/8.0.46" home page. - Server Status -> "Server Status" page, looks sensible. - Manager App -> "Tomcat Web Application Manager" page; see below. - Host Manager -> "Tomcat Virtual Host Manager" page, seems OK. I had not re-started the Tomcat server. It is variable whether you get asked for username/password; sometimes it seems to remember it. The direct links: http://localhost:8080/manager/status http://localhost:8080/manager/html http://localhost:8080/host-manager/html also worked as per the buttons on the home page. From the "Tomcat Web Application Manager" page I tried various of the many examples; most of which worked. I few did not, of the form: "HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application" but I do not think this invalidates the update. They probably did not work before. OKing & validating. Keywords:
(none) =>
validated_update Please update the advisory in SVN. 7.0.81 fixes an additional CVE: http://openwall.com/lists/oss-security/2017/09/19/2 Advisory: ======================== Updated tomcat packages fix security vulnerabilities: The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances (CVE-2017-7674). When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request (CVE-2017-12616). Note that CVE-2017-12616 only affected tomcat 7 in Mageia 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/ Keywords:
advisory =>
(none) An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0352.html Status:
NEW =>
RESOLVED This update also fixed CVE-2017-12615 in tomcat 7 on Mageia 5. This update also fixed CVE-2017-12616 in tomcat 7: https://usn.ubuntu.com/3665-1/ |