Bug 23045

Summary: tomcat new security issues CVE-2018-1336, CVE-2018-8014, CVE-2018-8034
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, herman.viaene, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: tomcat-8.0.50-1.mga6.src.rpm CVE:
Status comment: Fixed upstream in 8.0.53

Description David Walser 2018-05-17 13:37:14 CEST 
A security issue in Tomcat has been announced on May 16:
http://openwall.com/lists/oss-security/2018/05/16/7
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53

The issue will be fixed when 7.0.89 and 8.0.53 are released.

Mageia 5 and Mageia 6 are also affected (but we don't need to update 5).

This is a minor issue, so we don't need to update it right away.
David Walser 2018-05-17 13:37:35 CEST

Status comment: (none) => Fixed upstream in 8.0.53
Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-08-02 15:44:14 CEST 
Ubuntu has issued an advisory on July 25:
https://usn.ubuntu.com/3723-1/

It lists two more security issues fixed in 8.0.52 and 8.0.53.

They are listed on upstream's security page now too.

Severity: normal => major
Summary: tomcat new security issue CVE-2018-8014 => tomcat new security issues CVE-2018-1336, CVE-2018-8014, CVE-2018-8034

Comment 2 David Walser 2018-10-17 23:03:38 CEST 
RedHat has issued an advisory for CVE-2018-1336 on October 16:
https://access.redhat.com/errata/RHSA-2018:2921

Severity: major => critical

Comment 3 David Walser 2018-10-26 19:11:53 CEST 
Upstream says that CVE-2018-11784 only affects 7.0.x and 8.5.x, but Ubuntu and openSUSE have issued advisories for it for 8.0.x:
https://usn.ubuntu.com/3787-1/
https://lists.opensuse.org/opensuse-updates/2018-10/msg00186.html
Comment 4 David GEIGER 2018-12-07 18:11:37 CET 
Fixed for mga6! and I think too for Cauldron with tomcat 9.0.10!

CC: (none) => geiger.david68210

Comment 5 David Walser 2018-12-07 18:34:48 CET 
I see you patched CVE-2018-11784, but we still need to update to 8.0.53 to fix the other issues.
Comment 6 David GEIGER 2018-12-07 19:20:48 CET 
So updated to 8.0.53 for mga6
Comment 7 David Walser 2018-12-07 19:30:32 CET 
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

An improper handing of overflow in the UTF-8 decoder with supplementary
characters can lead to an infinite loop in the decoder causing a Denial of
Service (CVE-2018-1336).

The defaults settings for the CORS filter are insecure and enable
supportsCredentials for all origins. It is expected that users of the CORS
filter will have configured it appropriately for their environment rather than
using it in the default configuration. Therefore, it is expected that most
users will not be impacted by this issue (CVE-2018-8014).

The host name verification when using TLS with the WebSocket client was missing.
It is now enabled by default (CVE-2018-8034).

When the default servlet returned a redirect to a directory (e.g. redirecting
to /foo/ when the user requested /foo) a specially crafted URL could be used
to cause the redirect to be generated to any URI of the attackers choice
(CVE-2018-11784).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.52
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34
========================

Updated packages in core/updates_testing:
========================
tomcat-8.0.53-1.mga6
tomcat-admin-webapps-8.0.53-1.mga6
tomcat-docs-webapp-8.0.53-1.mga6
tomcat-javadoc-8.0.53-1.mga6
tomcat-jsvc-8.0.53-1.mga6
tomcat-jsp-2.3-api-8.0.53-1.mga6
tomcat-lib-8.0.53-1.mga6
tomcat-servlet-3.1-api-8.0.53-1.mga6
tomcat-el-3.0-api-8.0.53-1.mga6
tomcat-webapps-8.0.53-1.mga6

from tomcat-8.0.53-1.mga6.src.rpm

Version: Cauldron => 6
Keywords: (none) => has_procedure
Assignee: java => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 8 Herman Viaene 2018-12-08 11:45:12 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
After editing /etc/tomcat/tomcat-users.xml and uncomment the users, adding manager-gui role to the user tomcat. Then at CLI:
# systemctl start tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: enabled)
   Active: active (running) since za 2018-12-08 11:34:11 CET; 19s ago
 Main PID: 23386 (java)
   CGroup: /system.slice/tomcat.service
           └─23386 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.B

Then browse http://localhost:8080/sample and http://localhost:8080/examples and click the links.

Also browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role.

All seems ok.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 9 Lewis Smith 2018-12-08 20:06:53 CET 
Thanks Herman. Validating, advisory from comment 7.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2018-12-09 22:21:41 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0479.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED