Bug 22503 - tomcat new security issue CVE-2017-15706
Summary: tomcat new security issue CVE-2017-15706
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks: 22644
  Show dependency treegraph
 
Reported: 2018-02-01 20:59 CET by David Walser
Modified: 2018-02-28 14:56 CET (History)
3 users (show)

See Also:
Source RPM: tomcat-8.0.47-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-02-01 20:59:34 CET
Upstream announced a security fix in Tomcat 8.0.48 on January 31:
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48

Cauldron was just updated to 8.0.49 by David today.
David Walser 2018-02-01 20:59:43 CET

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2018-02-02 05:10:39 CET
Done also for mga6.
Comment 2 David Walser 2018-02-02 17:13:48 CET
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

In Tomcat 8.0.45, the description of the search algorithm used by the CGI
Servlet to identify which script to execute was updated. The update was not
correct. As a result, some scripts may have failed to execute as expected and
other scripts may have been executed unexpectedly. Note that the behaviour of
the CGI servlet has remained unchanged in this regard. It is only the
documentation of the behaviour that was wrong and has been corrected
(CVE-2017-15706).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48
========================

Updated packages in core/updates_testing:
========================
tomcat-8.0.49-1.mga6
tomcat-admin-webapps-8.0.49-1.mga6
tomcat-docs-webapp-8.0.49-1.mga6
tomcat-javadoc-8.0.49-1.mga6
tomcat-jsvc-8.0.49-1.mga6
tomcat-jsp-2.3-api-8.0.49-1.mga6
tomcat-lib-8.0.49-1.mga6
tomcat-servlet-3.1-api-8.0.49-1.mga6
tomcat-el-3.0-api-8.0.49-1.mga6
tomcat-webapps-8.0.49-1.mga6

from tomcat-8.0.49-1.mga6.src.rpm

Assignee: java => qa-bugs
Keywords: (none) => has_procedure

Comment 3 Herman Viaene 2018-02-06 13:22:45 CET
MGA6-64 on Lenovo B50 Plasma
No installation issues
Examples work perfectly, and access to tomcat homepage on localhost is OK, but I cann't get the tomcat users configuration right to get into the manager app.
The relevant section of tomcat-users.xml reads:
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat,manager-gui,admin-gui"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>


<role rolename="admin"/> 
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user name="admin" password="tomcat" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" />
and I fail to see the obvious(?) mistake.

CC: (none) => herman.viaene

Comment 4 David Walser 2018-02-25 00:56:00 CET
More security bugs fixed in 8.0.50.

Advisory:
========================

Updated tomcat packages fix security vulnerability:

In Tomcat 8.0.45, the description of the search algorithm used by the CGI
Servlet to identify which script to execute was updated. The update was not
correct. As a result, some scripts may have failed to execute as expected and
other scripts may have been executed unexpectedly. Note that the behavior of
the CGI servlet has remained unchanged in this regard. It is only the
documentation of the behavior that was wrong and has been corrected
(CVE-2017-15706).

The URL pattern of "" (the empty string) which exactly maps to the context
root was not correctly handled when used as part of a security constraint
definition. This caused the constraint to be ignored. It was, therefore,
possible for unauthorized users to gain access to web application resources
that should have been protected. Only security constraints with a URL pattern
of the empty string were affected (CVE-2018-1304).

Security constraints defined by annotations of Servlets were only applied once
a Servlet had been loaded. Because security constraints defined in this way
apply to the URL pattern and any URLs below that point, it was possible -
depending on the order Servlets were loaded - for some security constraints
not to be applied. This could have exposed resources to users who were not
authorized to access them (CVE-2018-1305).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.50
========================

Updated packages in core/updates_testing:
========================
tomcat-8.0.50-1.mga6
tomcat-admin-webapps-8.0.50-1.mga6
tomcat-docs-webapp-8.0.50-1.mga6
tomcat-javadoc-8.0.50-1.mga6
tomcat-jsvc-8.0.50-1.mga6
tomcat-jsp-2.3-api-8.0.50-1.mga6
tomcat-lib-8.0.50-1.mga6
tomcat-servlet-3.1-api-8.0.50-1.mga6
tomcat-el-3.0-api-8.0.50-1.mga6
tomcat-webapps-8.0.50-1.mga6

from tomcat-8.0.50-1.mga6.src.rpm
David Walser 2018-02-25 00:56:26 CET

Blocks: (none) => 22644

David Walser 2018-02-25 00:56:43 CET

Severity: normal => critical

Comment 5 Lewis Smith 2018-02-27 20:48:21 CET
Testing M6/64

Tomcat was already installed, so just updated it to:
- tomcat-8.0.50-1.mga6.noarch
- tomcat-admin-webapps-8.0.50-1.mga6.noarch
- tomcat-el-3.0-api-8.0.50-1.mga6.noarch
- tomcat-jsp-2.3-api-8.0.50-1.mga6.noarch
- tomcat-jsvc-8.0.50-1.mga6.noarch
- tomcat-lib-8.0.50-1.mga6.noarch
- tomcat-servlet-3.1-api-8.0.50-1.mga6.noarch
- tomcat-webapps-8.0.50-1.mga6.noarch
and used https://bugs.mageia.org/show_bug.cgi?id=21933#c4 as a test reference;
except that did not mention the need to have 'icedtea-web' installed for some of the tests.

Ensured /etc/tomcat/tomcat-users.xml had the following lines:
 <role rolename="admin-gui"/>
 <role rolename="manager-gui"/>
 <user username="..." password="..." roles="manager-gui,admin-gui"/>

 # systemctl restart tomcat

http://localhost:8080/ showed the main page "Apache Tomcat/8.0.50".
'server status' button 1st use asked for user/password. Result sensible.
'manager app' button showed correct screen.
'host manager' button 1st use asked for user/password. Result sensible.

The equivalent direct links:
 http://localhost:8080/manager/status
 http://localhost:8080/manager/html
 http://localhost:8080/host-manager/html
also worked as per the buttons on the home page.

/sample both worked.
/examples many tried, most worked, a few giving:
"HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application"
which has become normal."

OKing the update, validating, advisory to do from comment 4.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-02-28 14:56:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0149.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.