Bug 19828 - tomcat new security issues CVE-2016-6816 and CVE-2016-8735
Summary: tomcat new security issues CVE-2016-6816 and CVE-2016-8735
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure mga5-32-ok advisory MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-22 17:24 CET by David Walser
Modified: 2016-12-11 23:44 CET (History)
4 users (show)

See Also:
Source RPM: tomcat-8.0.38-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

David Walser 2016-11-22 17:24:36 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2016-12-01 15:57:42 CET 
Freeze push requested for cauldron and fixed for mga5!
Comment 2 David Walser 2016-12-01 16:02:54 CET 
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

The code that parsed the HTTP request line permitted invalid characters. This
could be exploited, in conjunction with a proxy that also permitted the invalid
characters but with a different interpretation, to inject data into the HTTP
response. By manipulating the HTTP response the attacker could poison a
web-cache, perform an XSS attack and/or obtain sensitive information from
requests other then their own (CVE-2016-6816).

The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix
for CVE-2016-3427. Therefore, Tomcat installations using this listener remained
vulnerable to a similar remote code execution vulnerability. This issue has been
rated as important rather than critical due to the small number of installations
using this listener and that it would be highly unusual for the JMX ports to be
accessible to an attacker even when the listener is used (CVE-2016-8735).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735
http://openwall.com/lists/oss-security/2016/11/22/16
http://openwall.com/lists/oss-security/2016/11/22/17
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.73-1.mga5
tomcat-admin-webapps-7.0.73-1.mga5
tomcat-docs-webapp-7.0.73-1.mga5
tomcat-javadoc-7.0.73-1.mga5
tomcat-jsvc-7.0.73-1.mga5
tomcat-jsp-2.2-api-7.0.73-1.mga5
tomcat-lib-7.0.73-1.mga5
tomcat-servlet-3.0-api-7.0.73-1.mga5
tomcat-el-2.2-api-7.0.73-1.mga5
tomcat-webapps-7.0.73-1.mga5

tomcat-7.0.73-1.mga5.src.rpm

CC: (none) => geiger.david68210
Version: Cauldron => 5
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA5TOO => (none)

David Walser 2016-12-01 16:03:00 CET

Whiteboard: (none) => has_procedure

Comment 3 Brian Rockwell 2016-12-03 04:03:57 CET 
The following 41 packages are going to be installed:

- apache-commons-collections-3.2.2-1.mga5.noarch
- apache-commons-daemon-1.0.15-5.mga5.i586
- apache-commons-daemon-jsvc-1.0.15-5.mga5.i586
- apache-commons-dbcp-1.4-19.mga5.noarch
- apache-commons-logging-1.1.3-8.mga5.noarch
- apache-commons-pool-1.6-10.mga5.noarch
- copy-jdk-configs-1.2-1.mga5.noarch
- ecj-4.4.0-1.mga5.noarch
- geronimo-jms-1.1.1-16.mga5.noarch
- geronimo-jta-1.1.1-14.mga5.noarch
- jakarta-taglibs-standard-1.1.2-15.mga5.noarch
- java-1.8.0-openjdk-1.8.0.111-1.b16.1.mga5.i586
- java-1.8.0-openjdk-headless-1.8.0.111-1.b16.1.mga5.i586
- javamail-1.5.1-1.mga5.noarch
- javapackages-tools-4.1.0-15.1.mga5.noarch
- liblog4j12-java-1.2.17-7.mga5.noarch
- libsctp1-1.0.11-5.mga5.i586
- lksctp-tools-1.0.11-5.mga5.i586
- lua-5.2.3-6.mga5.i586
- lua-posix-33.3.1-1.mga5.i586
- python-javapackages-4.1.0-15.1.mga5.noarch
- python-lxml-3.3.6-4.mga5.i586
- python-pyxb-1.2.3-4.mga5.noarch
- rootcerts-java-20160922.00-1.mga5.noarch
- timezone-java-2016i-4.mga5.noarch
- tomcat-7.0.73-1.mga5.noarch
- tomcat-admin-webapps-7.0.73-1.mga5.noarch
- tomcat-docs-webapp-7.0.73-1.mga5.noarch
- tomcat-el-2.2-api-7.0.73-1.mga5.noarch
- tomcat-jsp-2.2-api-7.0.73-1.mga5.noarch
- tomcat-jsvc-7.0.73-1.mga5.noarch
- tomcat-lib-7.0.73-1.mga5.noarch
- tomcat-servlet-3.0-api-7.0.73-1.mga5.noarch
- tomcat-webapps-7.0.73-1.mga5.noarch
- x11-font-bitstream-type1-1.0.3-5.mga5.noarch
- x11-font-type1-1.0.0-12.mga5.noarch
- x11-font-xfree86-type1-1.0.4-5.mga5.noarch
- xalan-j2-2.7.1-10.mga5.noarch
- xerces-j2-2.11.0-14.1.mga5.noarch
- xml-commons-apis-1.4.01-18.mga5.noarch
- xml-commons-resolver-1.2-16.mga5.noarch

193MB of additional disk space will be used.

47MB of packages will be retrieved.

Is it ok to continue?


REbooted my VM.

$ ps -ef | grep tomcat

tomcat    1338     1  6 20:56 ?        00:00:16 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

from firefox:  http://127.0.0.1:8080/sample/

displaying the JSP and servlet pages fine.

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure mga5-32-ok

Comment 4 Lewis Smith 2016-12-05 21:43:05 CET 
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: has_procedure mga5-32-ok => has_procedure mga5-32-ok advisory

Comment 5 Lewis Smith 2016-12-11 19:50:09 CET 
Testing MGA5 x64

Both CVEs currently just Reserved; I could find no test case.

Updated existing tomcat installation to:
 tomcat-7.0.73-1.mga5
 tomcat-admin-webapps-7.0.73-1.mga5
 tomcat-el-2.2-api-7.0.73-1.mga5
 tomcat-jsp-2.2-api-7.0.73-1.mga5
 tomcat-lib-7.0.73-1.mga5
 tomcat-servlet-3.0-api-7.0.73-1.mga5
 tomcat-webapps-7.0.73-1.mga5

/etc/tomcat/tomcat-users.xml
...
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
...
 <role rolename="manager-gui"/>
 <user username="***" password="***" roles="manager-gui"/>
...

 http://localhost:8080/
Showed the correct Tomcat home page:
"Apache Tomcat/7.0.73
If you're seeing this, you've successfully installed Tomcat. Congratulations!"

The 'Server status' link from that
 http://localhost:8080/manager/status
showed a correct "Server Status" page.

The 'Manager app' link on the home page
 http://localhost:8080/manager/html
asked for [implied "manager-gui"] username/password login, then showed a good "Tomcat Web Application Manager" page which includes the two test links:

 http://localhost:8080/sample/
which both worked.
&
 http://localhost:8080/examples/
of which I tried a lot of the examples, OK as far as I could see.

OKing & validating.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-32-ok advisory => has_procedure mga5-32-ok advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-12-11 23:44:44 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0417.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.