Bug 21131 - tomcat new security issue CVE-2017-5664
Summary: tomcat new security issue CVE-2017-5664
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-06-23 09:52 CEST by Zombie Ryushu
Modified: 2017-06-29 23:54 CEST (History)
8 users (show)

See Also:
Source RPM: tomcat-8.0.43-1.mga6.src.rpm
CVE: CVE-2017-5664
Status comment:


Attachments

Description Zombie Ryushu 2017-06-23 09:52:17 CEST
Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and
JSP engine, static error pages used the original request's HTTP method
to serve content, instead of systematically using the GET method. This
could under certain conditions result in undesirable results,
including the replacement or removal of the custom error page.
Zombie Ryushu 2017-06-23 09:52:49 CEST

CVE: (none) => CVE-2017-5664
URL: (none) => http://www.linuxsecurity.com/content/view/171881/

Comment 1 Marja Van Waes 2017-06-23 23:00:02 CEST
We have tomcat-8.0.43-1.mga6 in cauldron, does that have this vulnerability, too?

Mageia 5 has tomcat version 7.0.77

CC: (none) => geiger.david68210, marja11
Whiteboard: (none) => MGA5TOO
Assignee: bugsquad => mageia

Comment 2 Zombie Ryushu 2017-06-24 00:23:22 CEST
It appears so

tomcat7 needs to be updated to 7.0.78
tomcat8 needs to be updated to 8.5.14

http://www.linuxsecurity.com/content/view/171880/170/
http://www.linuxsecurity.com/content/view/171902/170/
Comment 3 David Walser 2017-06-24 00:42:07 CEST
Actual source of this is Debian advisories from June 22:
https://www.debian.org/security/2017/dsa-3891
https://www.debian.org/security/2017/dsa-3892

CC: (none) => luigiwalser
Summary: tomcat security vulnerability CVE-2017-5664 => tomcat new security issue CVE-2017-5664
URL: http://www.linuxsecurity.com/content/view/171881/ => (none)
Source RPM: tomcat => tomcat-8.0.43-1.mga6.src.rpm

Comment 4 David GEIGER 2017-06-24 08:47:14 CEST
Fixed for Cauldron updating tomcat to 8.0.44 release and also for mga5 updating tomcat to 7.0.78 release!
Comment 5 David Walser 2017-06-24 12:14:03 CEST
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

Aniket Nandkishor Kulkarni discovered that in tomcat7, static error pages used
the original request's HTTP method to serve content, instead of systematically
using the GET method. This could under certain conditions result in undesirable
results, including the replacement or removal of the custom error page
(CVE-2017-5664).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://www.debian.org/security/2017/dsa-3892
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.78-1.mga5
tomcat-admin-webapps-7.0.78-1.mga5
tomcat-docs-webapp-7.0.78-1.mga5
tomcat-javadoc-7.0.78-1.mga5
tomcat-jsvc-7.0.78-1.mga5
tomcat-jsp-2.2-api-7.0.78-1.mga5
tomcat-lib-7.0.78-1.mga5
tomcat-servlet-3.0-api-7.0.78-1.mga5
tomcat-el-2.2-api-7.0.78-1.mga5
tomcat-webapps-7.0.78-1.mga5

from tomcat-7.0.78-1.mga5.src.rpm

Assignee: mageia => qa-bugs
CC: (none) => mageia
Whiteboard: MGA5TOO => has_procedure
Version: Cauldron => 5

Comment 6 Herman Viaene 2017-06-27 17:22:59 CEST
MGA5-32 on Asus A6000VM
No installation issues
The samples and example work OK as per bug 8307, but trying to log in to the manager app results in 
 Exception report
message java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
Googling on the error leads me to suspect a problem with jsp version"
Quote "At the end it appeared, that I got newer tomcat which has different version of jsp-api provided (in tomcat 7.0.60 and above it will be jsp-api 2.2)."
That's where I throw in my hat.

CC: (none) => herman.viaene

Comment 7 Lewis Smith 2017-06-27 21:32:47 CEST
Testing Mageia 5 64-bit
using https://bugs.mageia.org/show_bug.cgi?id=19828#c5

BEFORE the update:
tomcat-admin-webapps-7.0.77-1.mga5
tomcat-7.0.77-1.mga5
tomcat-jsp-2.2-api-7.0.77-1.mga5
tomcat-el-2.2-api-7.0.77-1.mga5
tomcat-servlet-3.0-api-7.0.77-1.mga5
tomcat-webapps-7.0.77-1.mga5
tomcat-lib-7.0.77-1.mga5

File /etc/tomcat/tomcat-users.xml was already correctly configured:
...
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
...
 <role rolename="manager-gui"/>
 <user username="***" password="***" roles="manager-gui"/>
...

AFTER the uneventful update:
tomcat-jsp-2.2-api-7.0.78-1.mga5
tomcat-servlet-3.0-api-7.0.78-1.mga5
tomcat-lib-7.0.78-1.mga5
tomcat-el-2.2-api-7.0.78-1.mga5
tomcat-7.0.78-1.mga5
tomcat-admin-webapps-7.0.78-1.mga5
tomcat-webapps-7.0.78-1.mga5

# systemctl restart tomcat.service

http://localhost:8080/ correctly shows:
"Apache Tomcat/7.0.78"

http://localhost:8080/manager/status [server status link on home page]
asks for the 'manager-gui' username/password, then shows a valid "Server Status" page; the 4 'Manager' links work.

http://localhost:8080/manager/html [Manager App link on home page]
shows the "Tomcat Web Application Manager" page, including the test links:
 http://localhost:8080/sample/   [both worked]
 http://localhost:8080/examples/
Tried many of these, all worked.

The only thing I could not pass was the 'Host manager' link on the home page:
 http://localhost:8080/host-manager/html
which gave "403 Access Denied" because  <role rolename="admin-gui"/> was not defined; fair enough.

Did not have Herman's problem re the Manager App link, which wanted the 'manager-gui' user/PW. OKing this update.

Whiteboard: has_procedure => has_procedure MGA5-64-OK
CC: (none) => lewyssmith

Lewis Smith 2017-06-27 21:42:03 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 8 William Kenney 2017-06-29 21:45:46 CEST
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 9 Mageia Robot 2017-06-29 23:54:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0196.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.