You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Remy Maucherat <re...@apache.org> on 2002/03/02 04:33:08 UTC
[ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
A security vulnerability affecting the sandboxing provided by the Java
Security Manager has been discovered. The request dipatcher functionality of
the Servlet API could be used by a malicious servlet or JSP page to get
access to any resource located on the server's filesystem, bypassing the
Security Manager protection.
Note: People who are not using Tomcat with the Security Manager are not
affected by this problem, and do not need to upgrade.
Tomcat 4.0.3 has been released, and is identical to Tomcat 4.0.2 with the
only change being the fix for the problem described above:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/
The security patch can also be downloaded as a binary patch for Tomcat 4.0.2
and can be applied to an existing Tomcat 4.0.2 installation:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi
x/
The source code for the hotfix is included in the archive.
The upcoming Tomcat 4.0.4 Beta 1 release will also include this fix.
Issue report:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772
Remy
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
Remy Maucherat wrote:
>
> > Remy Maucherat wrote:
> > >
> > > A security vulnerability affecting the sandboxing provided by the Java
> > > Security Manager has been discovered. The request dipatcher
> functionality of
> > > the Servlet API could be used by a malicious servlet or JSP page to get
> > > access to any resource located on the server's filesystem, bypassing the
> > > Security Manager protection.
> > >
> > > Note: People who are not using Tomcat with the Security Manager are not
> > > affected by this problem, and do not need to upgrade.
> > >
> >
> > This statement is misleading. I reviewed the bug report and patch.
> > The security bug had nothing to do with the SecurityManager implementation
> > itself. It was due to the file path not being normalized before getting
> > the RequestDispatcher for it. Tomcat would be vulnerable to this
> regardless
> > of whether it was running with the SecurityManager or not.
> >
> > In fact if you were running Tomcat with the SecurityManager enabled and
> > a strict catalina.policy which restricted file access with FilePermissions
> > you would be less vulnerable than Tomcat running without the
> SecurityManager.
> >
> > Sorry this is a a few hours too late for the announcement.
> >
> > Perhaps a followup announcement could be made to correct this.
>
> I agree, but if you don't have the security manager, a malicious servlet
> could already use direct filesystem access to read any file on the server,
> which is a lot easier to use than this vulnerability. So the vulnerability
> doesn't make it more insecure (but it's still a spec compliance bug).
>
Thats true. But the announcement is still misleading. This really is more
of a spec compliance bug than a security bug.
> OTOH, if you have the security manager, you're supposed to be protected,
> regardless of whether or not there's a bug in the request dispatcher.
>
There is that old saying "You can lead a horse to water, but you can't
make it drink." That applies in this case. We don't require that Tomcat 4
be run with the SecurityManager, and even if you use the SecurityManager
your protection is only as good as the security policy you implement.
The default catalina.policy is not very restrictive. My Tomcat configs
use a very strict policy, so my exposure to this bug was more limited.
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
Posted by Remy Maucherat <re...@apache.org>.
> Remy Maucherat wrote:
> >
> > A security vulnerability affecting the sandboxing provided by the Java
> > Security Manager has been discovered. The request dipatcher
functionality of
> > the Servlet API could be used by a malicious servlet or JSP page to get
> > access to any resource located on the server's filesystem, bypassing the
> > Security Manager protection.
> >
> > Note: People who are not using Tomcat with the Security Manager are not
> > affected by this problem, and do not need to upgrade.
> >
>
> This statement is misleading. I reviewed the bug report and patch.
> The security bug had nothing to do with the SecurityManager implementation
> itself. It was due to the file path not being normalized before getting
> the RequestDispatcher for it. Tomcat would be vulnerable to this
regardless
> of whether it was running with the SecurityManager or not.
>
> In fact if you were running Tomcat with the SecurityManager enabled and
> a strict catalina.policy which restricted file access with FilePermissions
> you would be less vulnerable than Tomcat running without the
SecurityManager.
>
> Sorry this is a a few hours too late for the announcement.
>
> Perhaps a followup announcement could be made to correct this.
I agree, but if you don't have the security manager, a malicious servlet
could already use direct filesystem access to read any file on the server,
which is a lot easier to use than this vulnerability. So the vulnerability
doesn't make it more insecure (but it's still a spec compliance bug).
OTOH, if you have the security manager, you're supposed to be protected,
regardless of whether or not there's a bug in the request dispatcher.
Remy
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [ANNOUNCEMENT] Tomcat 4.0.3 security hotfix release
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
Remy Maucherat wrote:
>
> A security vulnerability affecting the sandboxing provided by the Java
> Security Manager has been discovered. The request dipatcher functionality of
> the Servlet API could be used by a malicious servlet or JSP page to get
> access to any resource located on the server's filesystem, bypassing the
> Security Manager protection.
>
> Note: People who are not using Tomcat with the Security Manager are not
> affected by this problem, and do not need to upgrade.
>
This statement is misleading. I reviewed the bug report and patch.
The security bug had nothing to do with the SecurityManager implementation
itself. It was due to the file path not being normalized before getting
the RequestDispatcher for it. Tomcat would be vulnerable to this regardless
of whether it was running with the SecurityManager or not.
In fact if you were running Tomcat with the SecurityManager enabled and
a strict catalina.policy which restricted file access with FilePermissions
you would be less vulnerable than Tomcat running without the SecurityManager.
Sorry this is a a few hours too late for the announcement.
Perhaps a followup announcement could be made to correct this.
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>