Bug 21714 - tomcat new security issue CVE-2017-7674
Summary: tomcat new security issue CVE-2017-7674
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2017-09-16 04:45 CEST by David Walser
Modified: 2018-06-08 22:30 CEST (History)
4 users (show)

See Also:
Source RPM: tomcat-8.0.44-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-09-16 04:45:45 CEST
Fedora has issued an advisory on September 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/

The issue is fixed upstream in 7.0.79 and 8.0.46.

David, I see from the commit message in Cauldron that you were already aware of this.  You don't have to wait for me to file the bug.  Please take care of these when you notice them.

Mageia 5 is also affected (tomcat 7).
David Walser 2017-09-16 04:46:00 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-09-16 14:31:58 CEST
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

The CORS Filter did not add an HTTP Vary header indicating that the response
varies depending on Origin. This permitted client and server side cache
poisoning in some circumstances (CVE-2017-7674).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.81-1.mga5
tomcat-admin-webapps-7.0.81-1.mga5
tomcat-docs-webapp-7.0.81-1.mga5
tomcat-javadoc-7.0.81-1.mga5
tomcat-jsvc-7.0.81-1.mga5
tomcat-jsp-2.2-api-7.0.81-1.mga5
tomcat-lib-7.0.81-1.mga5
tomcat-servlet-3.0-api-7.0.81-1.mga5
tomcat-el-2.2-api-7.0.81-1.mga5
tomcat-webapps-7.0.81-1.mga5
tomcat-8.0.46-1.mga6
tomcat-admin-webapps-8.0.46-1.mga6
tomcat-docs-webapp-8.0.46-1.mga6
tomcat-javadoc-8.0.46-1.mga6
tomcat-jsvc-8.0.46-1.mga6
tomcat-jsp-2.3-api-8.0.46-1.mga6
tomcat-lib-8.0.46-1.mga6
tomcat-servlet-3.1-api-8.0.46-1.mga6
tomcat-el-3.0-api-8.0.46-1.mga6
tomcat-webapps-8.0.46-1.mga6

from SRPMS:
tomcat-7.0.81-1.mga5.src.rpm
tomcat-8.0.46-1.mga6.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Keywords: (none) => has_procedure

Comment 2 Lewis Smith 2017-09-18 22:18:48 CEST
Testing M6/64

Already has Tomcat installed, so updated to:
 tomcat-webapps-7.0.81-1.mga5
 tomcat-lib-7.0.81-1.mga5
 tomcat-el-2.2-api-7.0.81-1.mga5
 tomcat-7.0.81-1.mga5
 tomcat-servlet-3.0-api-7.0.81-1.mga5
 tomcat-admin-webapps-7.0.81-1.mga5
 tomcat-jsp-2.2-api-7.0.81-1.mga5

This time I ensured that my defined user could do both these roles in
/etc/tomcat/tomcat-users.xml
 <role rolename="admin-gui"/>
 <role rolename="manager-gui"/>
 <user username="<usr>" password="<password>" roles="manager-gui,admin-gui"/>

Using https://bugs.mageia.org/show_bug.cgi?id=21131#c7 as a reference:
 # systemctl restart tomcat

 http://localhost:8080/
showed the "Apache Tomcat/7.0.81" page.

 http://localhost:8080/manager/status     [= server status link on home page]
asks for the 'manager-gui' username/password, then shows a valid "Server Status" page.

 http://localhost:8080/manager/html       [= Manager App link on home page]
shows the "Tomcat Web Application Manager" page, including the test links:
 http://localhost:8080/sample/
 http://localhost:8080/examples/
Tried many of these, all worked.

 http://localhost:8080/host-manager/html
shows "Tomcat Virtual Host Manager" page.

Everything looks OK.

Keywords: (none) => advisory
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => lewyssmith

Comment 3 Lewis Smith 2017-09-19 17:24:21 CEST
Testing M6/64

BEFORE update:
Installed as issued:
 tomcat-el-3.0-api-8.0.44-1.mga6
 tomcat-8.0.44-1.mga6
 tomcat-webapps-8.0.44-1.mga6
 tomcat-lib-8.0.44-1.mga6
 tomcat-servlet-3.1-api-8.0.44-1.mga6
 tomcat-jsvc-8.0.44-1.mga6
 tomcat-jsp-2.3-api-8.0.44-1.mga6
 tomcat-admin-webapps-8.0.44-1.mga6
The installation of tomcat itself showed:
"Failed to open 'tomcat.conf': No such file or directory"
which does not matter, but is not encouraging.

Edited /etc/tomcat/tomcat-users.xml
 <role rolename="admin-gui"/>       [uncomment]
 <role rolename="manager-gui"/>     [uncomment]
 <user username="..." password="..." roles="manager-gui,admin-gui"/>

# systemctl restart tomcat 

 http://localhost:8080/ ->
"Apache Tomcat/8.0.44" page. Tried a couple of the top-right buttons, they asked for the user/password, that worked.
----------------------------------
AFTER update:
 tomcat-jsvc-8.0.46-1.mga6
 tomcat-jsp-2.3-api-8.0.46-1.mga6
 tomcat-el-3.0-api-8.0.46-1.mga6
 tomcat-admin-webapps-8.0.46-1.mga6
 tomcat-lib-8.0.46-1.mga6
 tomcat-8.0.46-1.mga6
 tomcat-servlet-3.1-api-8.0.46-1.mga6
 tomcat-webapps-8.0.46-1.mga6

http://localhost:8080/ ->
"Apache Tomcat/8.0.46" home page.
- Server Status -> "Server Status" page, looks sensible.
- Manager App  -> "Tomcat Web Application Manager" page; see below.
- Host Manager -> "Tomcat Virtual Host Manager" page, seems OK.
I had not re-started the Tomcat server. It is variable whether you get asked for username/password; sometimes it seems to remember it.

The direct links:
 http://localhost:8080/manager/status
 http://localhost:8080/manager/html
 http://localhost:8080/host-manager/html
also worked as per the buttons on the home page.

From the "Tomcat Web Application Manager" page I tried various of the many examples; most of which worked. I few did not, of the form:
"HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application"
but I do not think this invalidates the update. They probably did not work before.

OKing & validating.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2017-09-20 00:45:53 CEST
Please update the advisory in SVN.  7.0.81 fixes an additional CVE:
http://openwall.com/lists/oss-security/2017/09/19/2

Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

The CORS Filter did not add an HTTP Vary header indicating that the response
varies depending on Origin. This permitted client and server side cache
poisoning in some circumstances (CVE-2017-7674).

When using a VirtualDirContext it was possible to bypass security constraints
and/or view the source code of JSPs for resources served by the
VirtualDirContext using a specially crafted request (CVE-2017-12616).

Note that CVE-2017-12616 only affected tomcat 7 in Mageia 5.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/

Keywords: advisory => (none)

Comment 5 Lewis Smith 2017-09-20 08:39:01 CEST
Done. Added the CVE and 2 extra refs cf comment 1.

Keywords: (none) => advisory

Comment 6 Mageia Robot 2017-09-21 15:44:30 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0352.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2017-10-26 17:24:29 CEST
This update also fixed CVE-2017-12615 in tomcat 7 on Mageia 5.
Comment 8 David Walser 2018-06-08 22:30:13 CEST
This update also fixed CVE-2017-12616 in tomcat 7:
https://usn.ubuntu.com/3665-1/

Note You need to log in before you can comment on or make changes to this bug.