You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Kumar, Abhishek (IT Information Services )" <Ab...@originenergy.com.au> on 2017/01/10 11:16:51 UTC
Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
Hi,
The Apache Tomcat web server running on the Load balancer is affected by an information disclosure vulnerability in the index page of the Manager and Host Manager applications. An unauthenticated attacker can exploit this vulnerability to obtain a valid cross-site request forgery (CSRF) token during the redirect issued when requesting /manager/ or /host-manager/. This token can be utilized by an attacker to construct a CSRF attack.
This is a Vulnerability issue with Tomcat 8.0.15.
We have this version of Tomcat installed in our Servers.
As suggested by Tomcat, this has been addressed and fixed after 8.0.32 versions.
Restrict access to the /manager URL from unauthorised IP addresses by implementing access control lists that only permit authorised management stations or subnets. For more information, see:
https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_security-2D8.html-23Fixed-5Fin-5FApache-5FTomcat-5F8.0.32&d=DgIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=-JJsXOks_2Pd13691jEHA6PBSyPcGzblOMm00qdlxbs&m=54nd4qu7eMUZgW9FFIX2Q9G2FdQGJ69mCZu7VvFyN0s&s=y_OfZJOm3x6d8KgLtJS6flhRUDt_I8Aqk6kymbu3u2k&e=
But, We do not want to upgrade the Tomcat right now.
Is there a way to implement this fix in our current Tomcat Version.
Kind Regards,
Abhishek Kumar
Note: This email, including any attachments, is confidential. If you have received this email in error, please advise the sender and delete it and all copies of it from your system. If you are not the intended recipient of this email, you must not use, print, distribute, copy or disclose its content to anyone
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Abhishek,
On 1/10/17 8:03 AM, Kumar, Abhishek (IT Information Services ) wrote:
> Hi Peter,
>
> Thank You!
>
> So, the solution would be to switch to the upgraded version for
> this fix?
You could also completely remove access to the manager application
from untrusted IP addresses/ranges. IIRC CSRF tokens are only
generated once the user has been allowed to access the application. So
using e.g. RemoteAddressFilter before CSRF filter should protect
against an unauthenticated attacker from gaining a CSRF token.
But your version of Tomcat is quite old (more than 2 years out of
date), so upgrading should be on your short list of things to do.
http://tomcat.apache.org/security-8.html
- -chris
> -----Original Message----- From: Kreuser, Peter
> [mailto:pkreuser@airplus.com] Sent: Tuesday, January 10, 2017 5:25
> PM To: Tomcat Users List <us...@tomcat.apache.org> Subject: AW:
> Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
>
> Hi Abishek,
>
>> -----Urspr�ngliche Nachricht----- Von: Kumar, Abhishek (IT
>> Information Services )
>> [mailto:Abhishek.Kumar3@originenergy.com.au] Gesendet: Dienstag,
>> 10. Januar 2017 12:17 An: users@tomcat.apache.org Betreff:
>> Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
>>
>>
>> Hi,
>>
>> The Apache Tomcat web server running on the Load balancer is
>> affected by an information disclosure vulnerability in the index
>> page of the Manager and Host Manager applications. An
>> unauthenticated attacker can exploit this vulnerability to obtain
>> a valid cross-site request forgery (CSRF) token during the
>> redirect issued when requesting /manager/ or /host-manager/. This
>> token can be utilized by an attacker to construct a CSRF attack.
>>
>> This is a Vulnerability issue with Tomcat 8.0.15.
>>
>> We have this version of Tomcat installed in our Servers.
>>
>> As suggested by Tomcat, this has been addressed and fixed after
>> 8.0.32 versions.
>>
>> Restrict access to the /manager URL from unauthorised IP
>> addresses by implementing access control lists that only permit
>> authorised management stations or subnets. For more information,
>> see:
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org
_security-2D8.html-23Fixed-5Fin-5FApache-5FTomcat-5F8.0.32&d=DgIFAg&c=Zg
VRmm3mf2P1-XDAyDsu4A&r=-JJsXOks_2Pd13691jEHA6PBSyPcGzblOMm00qdlxbs&m=54n
d4qu7eMUZgW9FFIX2Q9G2FdQGJ69mCZu7VvFyN0s&s=y_OfZJOm3x6d8KgLtJS6flhRUDt_I
8Aqk6kymbu3u2k&e=
>>
>>
>>
>>
But, We do not want to upgrade the Tomcat right now.
>>
>> Is there a way to implement this fix in our current Tomcat
>> Version.
>>
>>
>> Kind Regards, Abhishek Kumar
>>
>> Note: This email, including any attachments, is confidential. If
>> you have received this email in error, please advise the sender
>> and delete it and all copies of it from your system. If you are
>> not the intended recipient of this email, you must not use,
>> print, distribute, copy or disclose its content to anyone
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> from a security standpoint there is no way around updating.
>
> Specifically the CSRF attack is executed from the client, so
> whoever is at one of the authorized management stations will be
> executing the CSRF requests.
>
> Aside from this one vulnerability all versions up to the current
> 8.0.40 fix a whole load of flaws. So whenever you restrict access
> to the management console (via RemoteAddrValve), all other
> vulnerabilities that are more than Info disclosures will still
> persist.
>
> Best regards
>
> Peter
>
>
> Peter Kreuser AirPlus International Security Officer - Application
> Development
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYdUNLAAoJEBzwKT+lPKRYZ80P/3DNa4kW6z8cB1sdmm6GUK8O
Y7f0uzEYIIlirTqy091taJI7eH3jXpURtA2gJMy7LXFfTLkLFGOiM4FqPZdSQyuO
FcptphXkoYSejGdr0tFMA7LhefTkHvJWkpcIfZVELfeED+ZpWPKK1ttoXwOi/SRF
Jg1pdhssRTTfve+aZMdiYW/+ARWgT1FG53Cl+7FXPETr64jvTxnAz77PGTHj5g0a
GHZf98b05pmHuQdb1fYJg7GG1Jez2GhbVs5FU6+NWxNA+s3XgPp0nG1hKeNJTbAR
wO97nZoKyABPlznEpcZZVreLU5T/AF4+fnpEIAAwD7OyvGrmVZKJI66foex1ctPg
HCH4SrHMNgfeyhB0S5TjYEfWhlxTy7GsctKiFZOLbfKEH74VGe1zEesF3XdTmBAs
OLBPjCgFQyvbOyr68RVv9Sk8uM+aYXFWJfpk18dMevr87LM1NEEscbZ4c+0y2WWP
Tu2hN8Ig/SBw7amUn4qBIDbABnGO5RHcWmENa4HavlKwW+eGMZsPsl/Ktj43+f5E
m/PIhVKnvYQIvAhGrpuJ9pW9KJUaF9MhRAGOkTN20QLSF/KIaxwMwzGyXmwOupdx
WAw7lTs44/o6YeTj/JJaGnpdkZosc9QqUhhHeTxd9YL+3o9m1Jc9wcircdnTUVNQ
IvldYq8lOw149FKHq0tf
=/Dal
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
Posted by "Kumar, Abhishek (IT Information Services )" <Ab...@originenergy.com.au>.
Hi Peter,
Thank You!
So, the solution would be to switch to the upgraded version for this fix?
Thanks and Regards,
Abhishek Kumar
-----Original Message-----
From: Kreuser, Peter [mailto:pkreuser@airplus.com]
Sent: Tuesday, January 10, 2017 5:25 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: AW: Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
Hi Abishek,
> -----Ursprüngliche Nachricht-----
> Von: Kumar, Abhishek (IT Information Services ) [mailto:Abhishek.Kumar3@originenergy.com.au]
> Gesendet: Dienstag, 10. Januar 2017 12:17
> An: users@tomcat.apache.org
> Betreff: Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
>
>
> Hi,
>
> The Apache Tomcat web server running on the Load balancer is affected by an information disclosure vulnerability in the index page of the Manager and Host Manager applications. An unauthenticated attacker can exploit this vulnerability to obtain a valid cross-site request forgery (CSRF) token during the redirect issued when requesting /manager/ or /host-manager/. This token can be utilized by an attacker to construct a CSRF attack.
>
> This is a Vulnerability issue with Tomcat 8.0.15.
>
> We have this version of Tomcat installed in our Servers.
>
> As suggested by Tomcat, this has been addressed and fixed after 8.0.32 versions.
>
> Restrict access to the /manager URL from unauthorised IP addresses by implementing access control lists that only permit authorised management stations or subnets. For more information, see:
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_security-2D8.html-23Fixed-5Fin-5FApache-5FTomcat-5F8.0.32&d=DgIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=-JJsXOks_2Pd13691jEHA6PBSyPcGzblOMm00qdlxbs&m=54nd4qu7eMUZgW9FFIX2Q9G2FdQGJ69mCZu7VvFyN0s&s=y_OfZJOm3x6d8KgLtJS6flhRUDt_I8Aqk6kymbu3u2k&e=
>
>
> But, We do not want to upgrade the Tomcat right now.
>
> Is there a way to implement this fix in our current Tomcat Version.
>
>
> Kind Regards,
> Abhishek Kumar
>
> Note: This email, including any attachments, is confidential. If you have received this email in error, please advise the sender and delete it and all copies of it from your system. If you are not the intended recipient of this email, you must not use, print, distribute, copy or disclose its content to anyone
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
from a security standpoint there is no way around updating.
Specifically the CSRF attack is executed from the client, so whoever is at one of the authorized management stations will be executing the CSRF requests.
Aside from this one vulnerability all versions up to the current 8.0.40 fix a whole load of flaws. So whenever you restrict access to the management console (via RemoteAddrValve), all other vulnerabilities that are more than Info disclosures will still persist.
Best regards
Peter
Peter Kreuser
AirPlus International
Security Officer - Application Development
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
Posted by "Kreuser, Peter" <pk...@airplus.com>.
Hi Abishek,
> -----Ursprüngliche Nachricht-----
> Von: Kumar, Abhishek (IT Information Services ) [mailto:Abhishek.Kumar3@originenergy.com.au]
> Gesendet: Dienstag, 10. Januar 2017 12:17
> An: users@tomcat.apache.org
> Betreff: Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
>
>
> Hi,
>
> The Apache Tomcat web server running on the Load balancer is affected by an information disclosure vulnerability in the index page of the Manager and Host Manager applications. An unauthenticated attacker can exploit this vulnerability to obtain a valid cross-site request forgery (CSRF) token during the redirect issued when requesting /manager/ or /host-manager/. This token can be utilized by an attacker to construct a CSRF attack.
>
> This is a Vulnerability issue with Tomcat 8.0.15.
>
> We have this version of Tomcat installed in our Servers.
>
> As suggested by Tomcat, this has been addressed and fixed after 8.0.32 versions.
>
> Restrict access to the /manager URL from unauthorised IP addresses by implementing access control lists that only permit authorised management stations or subnets. For more information, see:
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_security-2D8.html-23Fixed-5Fin-5FApache-5FTomcat-5F8.0.32&d=DgIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=-JJsXOks_2Pd13691jEHA6PBSyPcGzblOMm00qdlxbs&m=54nd4qu7eMUZgW9FFIX2Q9G2FdQGJ69mCZu7VvFyN0s&s=y_OfZJOm3x6d8KgLtJS6flhRUDt_I8Aqk6kymbu3u2k&e=
>
>
> But, We do not want to upgrade the Tomcat right now.
>
> Is there a way to implement this fix in our current Tomcat Version.
>
>
> Kind Regards,
> Abhishek Kumar
>
> Note: This email, including any attachments, is confidential. If you have received this email in error, please advise the sender and delete it and all copies of it from your system. If you are not the intended recipient of this email, you must not use, print, distribute, copy or disclose its content to anyone
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
from a security standpoint there is no way around updating.
Specifically the CSRF attack is executed from the client, so whoever is at one of the authorized management stations will be executing the CSRF requests.
Aside from this one vulnerability all versions up to the current 8.0.40 fix a whole load of flaws. So whenever you restrict access to the management console (via RemoteAddrValve), all other vulnerabilities that are more than Info disclosures will still persist.
Best regards
Peter
Peter Kreuser
AirPlus International
Security Officer - Application Development
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org