Bug 19672 - tomcat new security issues CVE-2016-0762, CVE-2016-5018, CVE-2016-679[467]
Summary: tomcat new security issues CVE-2016-0762, CVE-2016-5018, CVE-2016-679[467]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/705822/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
: 19560 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-10-27 15:32 CEST by David Walser
Modified: 2016-11-07 18:38 CET (History)
4 users (show)

See Also:
Source RPM: tomcat-7.0.68-1.3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-10-27 15:32:43 CEST
Upstream has announced several security issues fixed in Tomcat:
http://openwall.com/lists/oss-security/2016/10/27/7
http://openwall.com/lists/oss-security/2016/10/27/8
http://openwall.com/lists/oss-security/2016/10/27/9
http://openwall.com/lists/oss-security/2016/10/27/10
http://openwall.com/lists/oss-security/2016/10/27/11

The issues are fixed upstream in 7.0.72.

They were also fixed in 8.0.37, and Cauldron has 8.0.38, so it's fine.
Comment 1 David GEIGER 2016-10-27 20:47:39 CEST
Fixed! updating to 7.0.72
Comment 2 David Walser 2016-10-29 17:03:07 CEST
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

The Realm implementations did not process the supplied password if the
supplied user name did not exist. This made a timing attack possible to
determine valid user names. Note that the default configuration includes
the LockOutRealm which makes exploitation of this vulnerability harder
(CVE-2016-0762).

A malicious web application was able to bypass a configured SecurityManager
via a Tomcat utility method that was accessible to web applications
(CVE-2016-5018).

It was discovered that the Tomcat packages installed configuration file
/usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the
group or a malicious web application deployed on Tomcat could use this flaw to
escalate their privileges (CVE-2016-5425).

It was discovered that the Tomcat packages installed certain configuration
files read by the Tomcat initialization script as writeable to the tomcat
group. A member of the group or a malicious web application deployed on Tomcat
could use this flaw to escalate their privileges (CVE-2016-6325).

When a SecurityManager is configured, a web application's ability to read
system properties should be controlled by the SecurityManager. Tomcat's system
property replacement feature for configuration files could be used by a
malicious web application to bypass the SecurityManager and read system
properties that should not be visible (CVE-2016-6794).

A malicious web application was able to bypass a configured SecurityManager
via manipulation of the configuration parameters for the JSP Servlet
(CVE-2016-6796).

The ResourceLinkFactory did not limit web application access to global JNDI
resources to those resources explicitly linked to the web application.
Therefore, it was possible for a web application to access any global JNDI
resource whether an explicit ResourceLink had been configured or not
(CVE-2016-6797).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797
http://openwall.com/lists/oss-security/2016/10/27/7
http://openwall.com/lists/oss-security/2016/10/27/8
http://openwall.com/lists/oss-security/2016/10/27/9
http://openwall.com/lists/oss-security/2016/10/27/10
http://openwall.com/lists/oss-security/2016/10/27/11
https://rhn.redhat.com/errata/RHSA-2016-2046.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.72-1.mga5
tomcat-admin-webapps-7.0.72-1.mga5
tomcat-docs-webapp-7.0.72-1.mga5
tomcat-javadoc-7.0.72-1.mga5
tomcat-jsvc-7.0.72-1.mga5
tomcat-jsp-2.2-api-7.0.72-1.mga5
tomcat-lib-7.0.72-1.mga5
tomcat-servlet-3.0-api-7.0.72-1.mga5
tomcat-el-2.2-api-7.0.72-1.mga5
tomcat-webapps-7.0.72-1.mga5

from tomcat-7.0.72-1.mga5.src.rpm

Assignee: geiger.david68210 => qa-bugs
Severity: normal => critical

Comment 3 David Walser 2016-10-29 17:03:32 CEST
*** Bug 19560 has been marked as a duplicate of this bug. ***
Comment 4 Lewis Smith 2016-10-29 21:28:21 CEST
Tested Mageia 5 x64, all data from the duplicate bug:
 https://bugs.mageia.org/show_bug.cgi?id=19560
and particularly Comment 9 Comment 10 Comment 13 where Len found a PoC and demonstrated that the update fixes that problem. Many thanks for that.

That other bug shows that the web interface
 http://localhost:8080/
samples
 http://localhost:8080/sample
& tests
 http://localhost:8080/examples
work (mostly) after suitable adaptation of the config file
 /etc/tomcat/tomcat-users.xml
as per the test link given: "uncomment the users, adding manager-gui role to one of them". I added:
 <role rolename="manager-gui"/>
 <user username="[...]" password="[...]" roles="manager-gui"/>

The only doubt was the lack of 'logout' from the manage page. Returning to the "Manager App" button on the main entry page, which on first usage asks for user & password login, subsequently often goes straight to the manage page *without* the login. However, re-trying this after a re-boot, it did not happen. Nor with Firefox now after simply re-starting the browser.
So I count this a red herring, and OK this for 64-bit.

@Len : were any of your tests on 32-bit? If so, please OK that.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Comment 5 Len Lawrence 2016-10-30 02:02:01 CET
@lewis : no, I gave up on it when I could no longer switch roles.

CC: (none) => tarazed25

Comment 6 Lewis Smith 2016-11-01 20:54:34 CET
Advisory uploaded.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 7 Herman Viaene 2016-11-04 10:29:29 CET
MGA5-32 on Acer D620 Xfce
No installation issues
Completed tests as indicated in Comment 4, no remarks to be added.

CC: (none) => herman.viaene
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK MGA-5-32-OK advisory

Herman Viaene 2016-11-04 10:30:19 CET

Whiteboard: MGA5-64-OK MGA-5-32-OK advisory => MGA5-64-OK MGA5-32-OK advisory

Comment 8 Lewis Smith 2016-11-04 20:27:31 CET
Validating. Advisory already in place.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2016-11-04 23:30:10 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0367.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-11-07 18:38:54 CET

URL: (none) => http://lwn.net/Vulnerabilities/705822/


Note You need to log in before you can comment on or make changes to this bug.