You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/08/05 21:45:45 UTC
svn commit: r1510686 - in /tomcat/site/trunk: docs/security-8.html
docs/security.html xdocs/security-8.xml xdocs/security.xml
Author: markt
Date: Mon Aug 5 19:45:45 2013
New Revision: 1510686
URL: http://svn.apache.org/r1510686
Log:
Add Tomcat 8 security page
Added:
tomcat/site/trunk/docs/security-8.html (with props)
tomcat/site/trunk/xdocs/security-8.xml
- copied, changed from r1510677, tomcat/site/trunk/xdocs/security-7.xml
Modified:
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/xdocs/security.xml
Added: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1510686&view=auto
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (added)
+++ tomcat/site/trunk/docs/security-8.html Mon Aug 5 19:45:45 2013
@@ -0,0 +1,345 @@
+<html>
+<head>
+<META http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>Apache Tomcat - Apache Tomcat 8 vulnerabilities</title>
+<meta name="author" content="Apache Tomcat Project">
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
+</head>
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
+<!--PAGE HEADER-->
+<tr>
+<td>
+<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
+<h1>Apache Tomcat</h1>
+</font></td><td>
+<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
+</tr>
+</table>
+<div class="searchbox noPrint">
+<form action="http://www.google.com/search" method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
+</form>
+</div>
+<table border="0" width="100%" cellspacing="4">
+<!--HEADER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade size="1">
+</td>
+</tr>
+<tr>
+<!--LEFT SIDE NAVIGATION-->
+<td width="20%" valign="top" nowrap="true" class="noPrint">
+<p>
+<strong>Apache Tomcat</strong>
+</p>
+<ul>
+<li>
+<a href="./index.html">Home</a>
+</li>
+<li>
+<a href="./taglibs/">Taglibs</a>
+</li>
+<li>
+<a href="./maven-plugin.html">Maven Plugin</a>
+</li>
+</ul>
+<p>
+<strong>Download</strong>
+</p>
+<ul>
+<li>
+<a href="./whichversion.html">Which version?</a>
+</li>
+<li>
+<a href="./download-70.cgi">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./download-60.cgi">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./download-connectors.cgi">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./download-native.cgi">Tomcat Native</a>
+</li>
+<li>
+<a href="http://archive.apache.org/dist/tomcat/">Archives</a>
+</li>
+</ul>
+<p>
+<strong>Documentation</strong>
+</p>
+<ul>
+<li>
+<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./connectors-doc/">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./native-doc/">Tomcat Native</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FrontPage">Wiki</a>
+</li>
+<li>
+<a href="./migration.html">Migration Guide</a>
+</li>
+</ul>
+<p>
+<strong>Problems?</strong>
+</p>
+<ul>
+<li>
+<a href="./security.html">Security Reports</a>
+</li>
+<li>
+<a href="./findhelp.html">Find help</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="./bugreport.html">Bug Database</a>
+</li>
+<li>
+<a href="./irc.html">IRC</a>
+</li>
+</ul>
+<p>
+<strong>Get Involved</strong>
+</p>
+<ul>
+<li>
+<a href="./getinvolved.html">Overview</a>
+</li>
+<li>
+<a href="./svn.html">SVN Repositories</a>
+</li>
+<li>
+<a href="./ci.html">Buildbot</a>
+</li>
+<li>
+<a href="https://reviews.apache.org/groups/tomcat/">Reviewboard</a>
+</li>
+<li>
+<a href="./tools.html">Tools</a>
+</li>
+</ul>
+<p>
+<strong>Media</strong>
+</p>
+<ul>
+<li>
+<a href="http://blogs.apache.org/tomcat/">Blog</a>
+</li>
+<li>
+<a href="http://twitter.com/theapachetomcat">Twitter</a>
+</li>
+</ul>
+<p>
+<strong>Misc</strong>
+</p>
+<ul>
+<li>
+<a href="./whoweare.html">Who We Are</a>
+</li>
+<li>
+<a href="./heritage.html">Heritage</a>
+</li>
+<li>
+<a href="http://www.apache.org">Apache Home</a>
+</li>
+<li>
+<a href="./resources.html">Resources</a>
+</li>
+<li>
+<a href="./contact.html">Contact</a>
+</li>
+<li>
+<a href="./legal.html">Legal</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+</li>
+</ul>
+</td>
+<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Table of Contents">
+<!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+<ul>
+<li>
+<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.0-RC1">Fixed in Apache Tomcat 8.0.0-RC1</a>
+</li>
+<li>
+<a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a>
+</li>
+</ul>
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Apache Tomcat 8.x vulnerabilities">
+<!--()--></a><a name="Apache_Tomcat_8.x_vulnerabilities"><strong>Apache Tomcat 8.x vulnerabilities</strong></a></font></td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+<p>This page lists all security vulnerabilities fixed in released versions
+ of Apache Tomcat 8.x. Each vulnerability is given a
+ <a href="security-impact.html">security impact rating</a> by the Apache
+ Tomcat security team — please note that this rating may vary from
+ platform to platform. We also list the versions of Apache Tomcat the flaw
+ is known to affect, and where a flaw has not been verified list the
+ version with a question mark.</p>
+
+
+<p>
+<strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
+ but have either been incorrectly reported against Tomcat or where Tomcat
+ provides a workaround are listed at the end of this page.</p>
+
+
+<p>Please note that binary patches are never provided. If you need to
+ apply a source code patch, use the building instructions for the
+ Apache Tomcat version that you are using. For Tomcat 8.0 those are
+ <a href="/tomcat-8.0-doc/building.html"><code>building.html</code></a> and
+ <a href="/tomcat-8.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>.
+ Both files can be found in the <code>webapps/docs</code> subdirectory
+ of a binary distributive. You may also want to review the
+ <a href="/tomcat-8.0-doc/security-howto.html">Security Considerations</a>
+ page in the documentation.</p>
+
+
+<p>If you need help on building or configuring Tomcat or other help on
+ following the instructions to mitigate the known vulnerabilities listed
+ here, please send your questions to the public
+ <a href="lists.html">Tomcat Users mailing list</a>
+
+</p>
+
+
+<p>If you have encountered an unlisted security vulnerability or other
+ unexpected behaviour that has <a href="security-impact.html">security
+ impact</a>, or if the descriptions here are incomplete,
+ please report them privately to the
+ <a href="security.html">Tomcat Security Team</a>. Thank you.
+ </p>
+
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 8.0.0-RC1">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_8.0.0-RC1"><strong>Fixed in Apache Tomcat 8.0.0-RC1</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 August 2013</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+
+<p>No reports</p>
+
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Not a vulnerability in Tomcat">
+<!--()--></a><a name="Not_a_vulnerability_in_Tomcat"><strong>Not a vulnerability in Tomcat</strong></a></font></td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+
+<p>No reports</p>
+
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<!--FOOTER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade size="1">
+</td>
+</tr>
+<!--PAGE FOOTER-->
+<tr>
+<td colspan="2">
+<div align="center">
+<font color="#525D76" size="-1"><em>
+ Copyright © 1999-2013, The Apache Software Foundation
+ <br>
+ Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
+ project logo are trademarks of the Apache Software Foundation.
+ </em></font>
+</div>
+</td>
+</tr>
+</table>
+</body>
+</html>
Propchange: tomcat/site/trunk/docs/security-8.html
------------------------------------------------------------------------------
svn:eol-style = native
Modified: tomcat/site/trunk/docs/security.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1510686&r1=1510685&r2=1510686&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Mon Aug 5 19:45:45 2013
@@ -209,6 +209,11 @@
<ul>
<li>
+<a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities
+ </a>
+</li>
+
+<li>
<a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities
</a>
</li>
Copied: tomcat/site/trunk/xdocs/security-8.xml (from r1510677, tomcat/site/trunk/xdocs/security-7.xml)
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?p2=tomcat/site/trunk/xdocs/security-8.xml&p1=tomcat/site/trunk/xdocs/security-7.xml&r1=1510677&r2=1510686&rev=1510686&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Mon Aug 5 19:45:45 2013
@@ -3,7 +3,7 @@
<properties>
<author>Apache Tomcat Project</author>
- <title>Apache Tomcat 7 vulnerabilities</title>
+ <title>Apache Tomcat 8 vulnerabilities</title>
</properties>
<body>
@@ -12,9 +12,9 @@
<toc/>
</section>
- <section name="Apache Tomcat 7.x vulnerabilities">
+ <section name="Apache Tomcat 8.x vulnerabilities">
<p>This page lists all security vulnerabilities fixed in released versions
- of Apache Tomcat 7.x. Each vulnerability is given a
+ of Apache Tomcat 8.x. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
@@ -27,12 +27,12 @@
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
- Apache Tomcat version that you are using. For Tomcat 7.0 those are
- <a href="/tomcat-7.0-doc/building.html"><code>building.html</code></a> and
- <a href="/tomcat-7.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>.
+ Apache Tomcat version that you are using. For Tomcat 8.0 those are
+ <a href="/tomcat-8.0-doc/building.html"><code>building.html</code></a> and
+ <a href="/tomcat-8.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>.
Both files can be found in the <code>webapps/docs</code> subdirectory
of a binary distributive. You may also want to review the
- <a href="/tomcat-7.0-doc/security-howto.html">Security Considerations</a>
+ <a href="/tomcat-8.0-doc/security-howto.html">Security Considerations</a>
page in the documentation.</p>
<p>If you need help on building or configuring Tomcat or other help on
@@ -50,740 +50,15 @@
</section>
- <section name="Fixed in Apache Tomcat 7.0.40" rtext="released 9 May 2013">
-
- <p><strong>Moderate: Information disclosure</strong>
- <cve>CVE-2013-2071</cve></p>
-
- <p>Bug <bug>54178</bug> described a scenario where elements of a previous
- request may be exposed to a current request. This was very difficult to
- exploit deliberately but fairly likely to happen unexpectedly if an
- application used AsyncListeners that threw RuntimeExceptions.</p>
-
- <p>This was fixed in revision <revlink rev="1471372">1471372</revlink>.</p>
-
- <p>The root cause of the problem was identified as a Tomcat bug on 2 April
- 2013. The Tomcat security team identified the security implications on
- 24 April 2013 and made those details public on 10 May 2013.</p>
-
- <p>Affects: 7.0.0-7.0.39</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.33" rtext="released 21 Nov 2012">
-
- <p><strong>Important: Session fixation</strong>
- <cve>CVE-2013-2067</cve></p>
-
- <p>FORM authentication associates the most recent request requiring
- authentication with the current session. By repeatedly sending a request
- for an authenticated resource while the victim is completing the login
- form, an attacker could inject a request that would be executed using
- the victim's credentials.</p>
-
- <p>This was fixed in revision <revlink rev="1408044">1408044</revlink>.</p>
-
- <p>This issue was identified by the Tomcat security team on 15 Oct 2012 and
- made public on 10 May 2013.</p>
-
- <p>Affects: 7.0.0-7.0.32</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.32" rtext="released 9 Oct 2012">
-
- <p><strong>Important: Bypass of CSRF prevention filter</strong>
- <cve>CVE-2012-4431</cve></p>
-
- <p>The CSRF prevention filter could be bypassed if a request was made to a
- protected resource without a session identifier present in the request.
- </p>
-
- <p>This was fixed in revision <revlink rev="1393088">1393088</revlink>.</p>
-
- <p>This issue was identified by the Tomcat security team on 8 September 2012
- and made public on 4 December 2012.</p>
-
- <p>Affects: 7.0.0-7.0.31</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.30" rtext="released 6 Sep 2012">
-
- <p><strong>Important: Denial of service</strong>
- <cve>CVE-2012-3544</cve></p>
-
- <p>When processing a request submitted using the chunked transfer encoding,
- Tomcat ignored but did not limit any extensions that were included. This
- allows a client to perform a limited DOS by streaming an unlimited
- amount of data to the server.</p>
-
- <p>This was fixed in revisions <revlink rev="1378702">1378702</revlink> and
- <revlink rev="1378921">1378921</revlink>.</p>
-
- <p>This issue was reported to the Tomcat security team on 10 November 2011
- and made public on 10 May 2013.</p>
-
- <p>Affects: 7.0.0-7.0.29</p>
-
- <p><strong>Moderate: DIGEST authentication weakness</strong>
- <cve>CVE-2012-3439</cve></p>
-
- <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
- were identified and resolved:
- </p>
- <ol>
- <li>Tomcat tracked client rather than server nonces and nonce count.</li>
- <li>When a session ID was present, authentication was bypassed.</li>
- <li>The user name and password were not checked before when indicating
- that a nonce was stale.</li>
- </ol>
- <p>
- These issues reduced the security of DIGEST authentication making
- replay attacks possible in some circumstances.
- </p>
-
- <p>This was fixed in revision <revlink rev="1377807">1377807</revlink>.</p>
-
- <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
- on 19 July 2012. The second and third issues were discovered by the
- Tomcat security team during the resulting code review. All three issues
- were made public on 5 November 2012.</p>
-
- <p>Affects: 7.0.0-7.0.29</p>
-
- <p><strong>Important: Bypass of security constraints</strong>
- <cve>CVE-2012-3546</cve></p>
-
- <p>When using FORM authentication it was possible to bypass the security
- constraint checks in the FORM authenticator by appending
- <code>/j_security_check</code> to the end of the URL if some other
- component (such as the Single-Sign-On valve) had called
- <code>request.setUserPrincipal()</code> before the call to
- <code>FormAuthenticator#authenticate()</code>.
- </p>
-
- <p>This was fixed in revision <revlink rev="1377892">1377892</revlink>.</p>
-
- <p>This issue was identified by the Tomcat security team on 13 July 2012 and
- made public on 4 December 2012.</p>
-
- <p>Affects: 7.0.0-7.0.29</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.28" rtext="released 19 Jun 2012">
-
- <p><strong>Important: Denial of service</strong>
- <cve>CVE-2012-2733</cve></p>
-
- <p>The checks that limited the permitted size of request headers were
- implemented too late in the request parsing process for the HTTP NIO
- connector. This enabled a malicious user to trigger an
- OutOfMemoryError by sending a single request with very large headers.
- </p>
-
- <p>This was fixed in revision <revlink rev="1350301">1350301</revlink>.</p>
-
- <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
- 2012 and made public on 5 November 2012.</p>
-
- <p>Affects: 7.0.0-7.0.27</p>
-
- <p><strong>Important: Denial of service</strong>
- <cve>CVE-2012-4534</cve></p>
-
- <p>When using the NIO connector with sendfile and HTTPS enabled, if a client
- breaks the connection while reading the response an infinite loop is
- entered leading to a denial of service. This was originally reported as
- <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=52858">bug
- 52858</a>.
- </p>
-
- <p>This was fixed in revision <revlink rev="1340218">1340218</revlink>.</p>
-
- <p>The security implications of this bug were reported to the Tomcat
- security team by Arun Neelicattu of the Red Hat Security Response Team on
- 3 October 2012 and made public on 4 December 2012.</p>
-
- <p>Affects: 7.0.0-7.0.27</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.23" rtext="released 25 Nov 2011">
-
- <p><strong>Important: Denial of service</strong>
- <cve>CVE-2012-0022</cve></p>
-
- <p>Analysis of the recent hash collision vulnerability identified unrelated
- inefficiencies with Apache Tomcat's handling of large numbers of
- parameters and parameter values. These inefficiencies could allow an
- attacker, via a specially crafted request, to cause large amounts of CPU
- to be used which in turn could create a denial of service. The issue was
- addressed by modifying the Tomcat parameter handling code to efficiently
- process large numbers of parameters and parameter values.</p>
-
- <p>This was fixed in revisions <revlink rev="1189899">1189899</revlink>,
- <revlink rev="1190372">1190372</revlink>,
- <revlink rev="1190482">1190482</revlink>,
- <revlink rev="1194917">1194917</revlink>,
- <revlink rev="1195225">1195225</revlink>,
- <revlink rev="1195226">1195226</revlink>,
- <revlink rev="1195537">1195537</revlink>,
- <revlink rev="1195909">1195909</revlink>,
- <revlink rev="1195944">1195944</revlink>,
- <revlink rev="1195951">1195951</revlink>,
- <revlink rev="1195977">1195977</revlink> and
- <revlink rev="1198641">1198641</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 21 October 2011 and
- made public on 17 January 2012.</p>
-
- <p>Affects: 7.0.0-7.0.22</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.22" rtext="released 1 Oct 2011">
-
- <p><strong>Important: Information disclosure</strong>
- <cve>CVE-2011-3375</cve></p>
-
- <p>For performance reasons, information parsed from a request is often
- cached in two places: the internal request object and the internal
- processor object. These objects are not recycled at exactly the same
- time. When certain errors occur that needed to be added to the access
- log, the access logging process triggers the re-population of the request
- object after it has been recycled. However, the request object was not
- recycled before being used for the next request. That lead to information
- leakage (e.g. remote IP address, HTTP headers) from the previous request
- to the next request. The issue was resolved be ensuring that the request
- and response objects were recycled after being re-populated to generate
- the necessary access log entries.</p>
-
- <p>This was fixed in <revlink rev="1176592">revision 1176592</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 22 September 2011 and
- made public on 17 January 2012.</p>
-
- <p>Affects: 7.0.0-7.0.21</p>
-
- <p><strong>Low: Privilege Escalation</strong>
- <cve>CVE-2011-3376</cve></p>
-
- <p>This issue only affects environments running web applications that are
- not trusted (e.g. shared hosting environments). The Servlets that
- implement the functionality of the Manager application that ships with
- Apache Tomcat should only be available to Contexts (web applications)
- that are marked as privileged. However, this check was not being made.
- This allowed an untrusted web application to use the functionality of the
- Manager application. This could be used to obtain information on running
- web applications as well as deploying additional web applications.
- </p>
-
- <p>This was fixed in <revlink rev="1176588">revision 1176588</revlink>.</p>
-
- <p>This was identified by Ate Douma on 27 September 2011 and made public
- on 8 November 2011.</p>
-
- <p>Affects: 7.0.0-7.0.21</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.21" rtext="released 1 Sep 2011">
-
- <p><strong>Important: Authentication bypass and information disclosure
- </strong>
- <cve>CVE-2011-3190</cve></p>
-
- <p>Apache Tomcat supports the AJP protocol which is used with reverse
- proxies to pass requests and associated data about the request from the
- reverse proxy to Tomcat. The AJP protocol is designed so that when a
- request includes a request body, an unsolicited AJP message is sent to
- Tomcat that includes the first part (or possibly all) of the request
- body. In certain circumstances, Tomcat did not process this message as a
- request body but as a new request. This permitted an attacker to have
- full control over the AJP message permitting authentication bypass and
- information disclosure. This vulnerability only occurs when all of the
- following are true:
- <ul>
- <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
- </li>
- <li>POST requests are accepted</li>
- <li>The request body is not processed</li>
- </ul>
- </p>
-
- <p>This was fixed in <revlink rev="1162958">revision 1162958</revlink>.</p>
-
- <p>This was reported publicly on 20th August 2011.</p>
-
- <p>Affects: 7.0.0-7.0.20</p>
-
- <p>Mitigation options:</p>
- <ul>
- <li>Upgrade to Tomcat 7.0.21</li>
- <li>Apply the appropriate <revlink rev="1162958">patch</revlink></li>
- <li>Configure both Tomcat and the reverse proxy to use a shared secret.<br />
- (It is "<code>requiredSecret</code>" attribute in AJP <Connector>,
- "<code>worker.<i>workername</i>.secret</code>" directive for mod_jk.
- The mod_proxy_ajp module currently does not support shared secrets).</li>
- </ul>
-
- <p>References:</p>
- <ul>
- <li><a href="/tomcat-7.0-doc/config/ajp.html">AJP Connector documentation (Tomcat 7.0)</a></li>
- <li><a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a></li>
- </ul>
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.20" rtext="released 11 Aug 2011">
-
- <p><strong>Important: Information disclosure</strong>
- <cve>CVE-2011-2729</cve></p>
-
- <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
- Linux that is part of the Commons Daemon project) does not drop
- capabilities allowing the application to access files and directories
- owned by superuser. This vulnerability only occurs when all of the
- following are true:
- <ul>
- <li>Tomcat is running on a Linux operating system</li>
- <li>jsvc was compiled with libcap</li>
- <li>-user parameter is used</li>
- </ul>
- Affected Tomcat versions shipped with source files for jsvc that included
- this vulnerability.
- </p>
-
- <p>This was fixed in <revlink rev="1153379">revision 1153379</revlink>.</p>
-
- <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
- on 12 August 2011.</p>
-
- <p>Affects: 7.0.0-7.0.19</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.19" rtext="released 19 Jul 2011">
-
- <p><strong>Low: Information disclosure</strong>
- <cve>CVE-2011-2526</cve></p>
-
- <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
- connectors. sendfile is used automatically for content served via the
- DefaultServlet and deployed web applications may use it directly via
- setting request attributes. These request attributes were not validated.
- When running under a security manager, this lack of validation allowed a
- malicious web application to do one or more of the following that would
- normally be prevented by a security manager:
- <ul>
- <li>return files to users that the security manager should make
- inaccessible</li>
- <li>terminate (via a crash) the JVM</li>
- </ul>
- Additionally, these vulnerabilities only occur when all of the following
- are true:
- <ul>
- <li>untrusted web applications are being used</li>
- <li>the SecurityManager is used to limit the untrusted web applications
- </li>
- <li>the HTTP NIO or HTTP APR connector is used</li>
- <li>sendfile is enabled for the connector (this is the default)</li>
- </ul>
- </p>
-
- <p>This was fixed in revisions
- <revlink rev="1145383">1145383</revlink>,
- <revlink rev="1145489">1145489</revlink>,
- <revlink rev="1145571">1145571</revlink>,
- <revlink rev="1145694">1145694</revlink> and
- <revlink rev="1146005">1146005</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 7 July 2011 and
- made public on 13 July 2011.</p>
-
- <p>Affects: 7.0.0-7.0.18</p>
-
- <p><i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
- release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
- Therefore, although users must download 7.0.19 to obtain a version that
- includes a fix for these issues, versions 7.0.17 and 7.0.18 are not
- included in the list of affected versions.</i></p>
-
- <p><strong>Low: Information disclosure</strong>
- <cve>CVE-2011-2204</cve></p>
-
- <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
- creating users via JMX, an exception during the user creation process may
- trigger an error message in the JMX client that includes the user's
- password. This error message is also written to the Tomcat logs. User
- passwords are visible to administrators with JMX access and/or
- administrators with read access to the tomcat-users.xml file. Users that
- do not have these permissions but are able to read log files may be able
- to discover a user's password.</p>
-
- <p>This was fixed in <revlink rev="1140070">revision 1140070</revlink>.</p>
-
- <p>This was identified by Polina Genova on 14 June 2011 and
- made public on 27 June 2011.</p>
-
- <p>Affects: 7.0.0-7.0.16</p>
-
- <p><strong>Low: Information disclosure</strong>
- <cve>CVE-2011-2481</cve></p>
-
- <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
- vulnerability previously reported as <cve>CVE-2009-0783</cve>.
- This was initially
- <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395">
- reported</a> as a memory leak. If a web application is the first web
- application loaded, this bugs allows that web application to potentially
- view and/or alter the web.xml, context.xml and tld files of other web
- applications deployed on the Tomcat instance.</p>
-
- <p>This was first fixed in
- <revlink rev="1137753">revision 1137753</revlink>,
- but reverted in <revlink rev="1138776">revision 1138776</revlink> and
- finally fixed in <revlink rev="1138788">revision 1138788</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 20 June 2011 and
- made public on 12 August 2011.</p>
-
- <p>Affects: 7.0.0-7.0.16</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.14" rtext="released 12 May 2011">
-
- <p><strong>Important: Security constraint bypass</strong>
- <cve>CVE-2011-1582</cve></p>
-
- <p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
- constraints configured via annotations were ignored on the first request
- to a Servlet. Subsequent requests were secured correctly.</p>
-
- <p>This was fixed in <revlink rev="1100832">revision 1100832</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 13 April 2011 and
- made public on 17 May 2011.</p>
-
- <p>Affects: 7.0.12-7.0.13</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.12" rtext="released 6 Apr 2011">
-
- <p><strong>Important: Information disclosure</strong>
- <cve>CVE-2011-1475</cve></p>
-
- <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
- asynchronous requests did not fully account for HTTP pipelining. As a
- result, when using HTTP pipelining a range of unexpected behaviours
- occurred including the mixing up of responses between requests. While
- the mix-up in responses was only observed between requests from the same
- user, a mix-up of responses for requests from different users may also be
- possible.</p>
-
- <p>This was fixed in revisions <revlink rev="1086349">1086349</revlink> and
- <revlink rev="1086352">1086352</revlink>.
- (Note: HTTP pipelined requests are still likely to fail with the
- HTTP BIO connector but will do so in a secure manner.)</p>
-
- <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
- 2011.</p>
-
- <p>Affects: 7.0.0-7.0.11</p>
-
- <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
- rel="nofollow">CVE-2011-1184</a></p>
-
- <p>Note: Mitre elected to break this issue down into multiple issues and
- have allocated the following additional references to parts of this
- issue:
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5062"
- rel="nofollow">CVE-2011-5062</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5063"
- rel="nofollow">CVE-2011-5063</a> and
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5064"
- rel="nofollow">CVE-2011-5064</a>. The Apache Tomcat security team will
- continue to treat this as a single issue using the reference
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
- rel="nofollow">CVE-2011-1184</a>.</p>
-
- <p>The implementation of HTTP DIGEST authentication was discovered to have
- several weaknesses:
- <ul>
- <li>replay attacks were permitted</li>
- <li>server nonces were not checked</li>
- <li>client nonce counts were not checked</li>
- <li>qop values were not checked</li>
- <li>realm values were not checked</li>
- <li>the server secret was hard-coded to a known string</li>
- </ul>
- The result of these weaknesses is that DIGEST authentication was only as
- secure as BASIC authentication.
- </p>
-
- <p>This was fixed in <revlink rev="1087655">revision 1087655</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 16 March 2011 and
- made public on 26 September 2011.</p>
-
- <p>Affects: 7.0.0-7.0.11</p>
-
- <p><strong>Important: Security constraint bypass</strong>
- <cve>CVE-2011-1183</cve></p>
-
- <p>A regression in the fix for CVE-2011-1088 meant that security constraints
- were ignored when no login configuration was present in the web.xml and
- the web application was marked as meta-data complete.</p>
-
- <p>This was fixed in <revlink rev="1087643">revision 1087643</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 17 March 2011 and
- made public on 6 April 2011.</p>
-
- <p>Affects: 7.0.11</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.11" rtext="released 11 Mar 2011">
-
- <p><strong>Important: Security constraint bypass</strong>
- <cve>CVE-2011-1088</cve></p>
-
- <p>When a web application was started, <code>ServletSecurity</code>
- annotations were ignored. This meant that some areas of the application
- may not have been protected as expected. This was partially fixed in
- Apache Tomcat 7.0.10 and fully fixed in 7.0.11.</p>
-
- <p>This was fixed in revisions <revlink rev="1076586">1076586</revlink>,
- <revlink rev="1076587">1076587</revlink>,
- <revlink rev="1077995">1077995</revlink> and
- <revlink rev="1079752">1079752</revlink>.</p>
-
- <p>This was reported publicly on the Tomcat users mailing list on 2 Mar
- 2011.</p>
-
- <p>Affects: 7.0.0-7.0.10</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.8" rtext="released 5 Feb 2011">
-
- <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.7 but the
- release vote for the 7.0.7 release candidate did not pass. Therefore,
- although users must download 7.0.8 to obtain a version that includes a
- fix for this issue, version 7.0.7 is not included in the list of
- affected versions.</i></p>
-
- <p><strong>Important: Remote Denial Of Service</strong>
- <cve>CVE-2011-0534</cve></p>
-
- <p>The NIO connector expands its buffer endlessly during request line
- processing. That behaviour can be used for a denial of service attack
- using a carefully crafted request.</p>
-
- <p>This was fixed in <revlink rev="1065939">revision 1065939</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 27 Jan 2011 and
- made public on 5 Feb 2011.</p>
-
- <p>Affects: 7.0.0-7.0.6</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.6" rtext="released 14 Jan 2011">
-
- <p><strong>Low: Cross-site scripting</strong>
- <cve>CVE-2011-0013</cve></p>
-
- <p>The HTML Manager interface displayed web application provided data, such
- as display names, without filtering. A malicious web application could
- trigger script execution by an administrative user when viewing the
- manager pages.</p>
-
- <p>This was fixed in <revlink rev="1057279">revision 1057279</revlink>.</p>
-
- <p>This was identified by the Tomcat security team on 12 Nov 2010 and
- made public on 5 Feb 2011.</p>
-
- <p>Affects: 7.0.0-7.0.5</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.5" rtext="released 1 Dec 2010">
-
- <p><strong>Low: Cross-site scripting</strong>
- <cve>CVE-2010-4172</cve></p>
-
- <p>The Manager application used the user provided parameters sort and
- orderBy directly without filtering thereby permitting cross-site
- scripting. The CSRF protection, which is enabled by default, prevents an
- attacker from exploiting this.</p>
-
- <p>This was fixed in <revlink rev="1037778">revision 1037778</revlink>.</p>
-
- <p>This was first reported to the Tomcat security team on 15 Nov 2010 and
- made public on 22 Nov 2010.</p>
-
- <p>Affects: 7.0.0-7.0.4</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.4" rtext="released 21 Oct 2010">
-
- <p><strong>Low: SecurityManager file permission bypass</strong>
- <cve>CVE-2010-3718</cve></p>
-
- <p>When running under a SecurityManager, access to the file system is
- limited but web applications are granted read/write permissions to the
- work directory. This directory is used for a variety of temporary files
- such as the intermediate files generated when compiling JSPs to Servlets.
- The location of the work directory is specified by a ServletContect
- attribute that is meant to be read-only to web applications. However,
- due to a coding error, the read-only setting was not applied. Therefore,
- a malicious web application may modify the attribute before Tomcat
- applies the file permissions. This can be used to grant read/write
- permissions to any area on the file system which a malicious web
- application may then take advantage of. This vulnerability is only
- applicable when hosting web applications from untrusted sources such as
- shared hosting environments.</p>
-
- <p>This was fixed in <revlink rev="1022134">revision 1022134</revlink>.</p>
-
- <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
- made public on 5 Feb 2011.</p>
-
- <p>Affects: 7.0.0-7.0.3</p>
-
- </section>
-
- <section name="Fixed in Apache Tomcat 7.0.2" rtext="released 11 Aug 2010">
-
- <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the
- release vote for the 7.0.1 release candidate did not pass. Therefore,
- although users must download 7.0.2 to obtain a version that includes a
- fix for this issue, version 7.0.2 is not included in the list of
- affected versions.</i></p>
-
- <p><strong>Important: Remote Denial Of Service and Information Disclosure
- Vulnerability</strong>
- <cve>CVE-2010-2227</cve></p>
-
- <p>Several flaws in the handling of the 'Transfer-Encoding' header were
- found that prevented the recycling of a buffer. A remote attacker could
- trigger this flaw which would cause subsequent requests to fail and/or
- information to leak between requests. This flaw is mitigated if Tomcat is
- behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
- reject the invalid transfer encoding header.</p>
-
- <p>This was fixed in <revlink rev="958911">revision 958911</revlink>.</p>
-
- <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
- made public on 9 Jul 2010.</p>
-
- <p>Affects: 7.0.0</p>
+ <section name="Fixed in Apache Tomcat 8.0.0-RC1" rtext="released 1 August 2013">
+ <p>No reports</p>
+
</section>
<section name="Not a vulnerability in Tomcat">
-
- <p><strong>Low: Denial Of Service</strong>
- <cve>CVE-2012-5568</cve></p>
-
- <p>Sending an HTTP request 1 byte at a time will consume a thread from the
- connection pool until the request has been fully processed if using the
- BIO or APR/native HTTP connectors. Multiple requests may be used to
- consume all threads in the connection pool thereby creating a denial of
- service.</p>
-
- <p>Since the relationship between the client side resources and server side
- resources is a linear one, this issue is not something that the Tomcat
- Security Team views as a vulnerability. This is a generic DoS problem and
- there is no magic solution. This issue has been discussed several times
- on the Tomcat mailing lists. The best place to start to review these
- discussions is the report for
- <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
- 54236</a>.</p>
-
- <p>This was first discussed on the public Tomcat users mailing list on 19
- June 2009.</p>
-
- <p>Affects: 7.0.0-7.0.x</p>
-
- <p><strong>Important: Remote Denial Of Service</strong>
- <cve>CVE-2010-4476</cve></p>
-
- <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
- form based security constrained page or any page that calls
- javax.servlet.ServletRequest.getLocale() or
- javax.servlet.ServletRequest.getLocales(). A specially crafted request
- can be used to trigger a denial of service.
- </p>
- <p>A work-around for this JVM bug was provided in
- <revlink rev="1066244">revision 1066244</revlink>.</p>
-
- <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
- made public on 31 Jan 2011.</p>
-
- <p>Affects: 7.0.0-7.0.6</p>
-
- <p><strong>Moderate: TLS SSL Man In The Middle</strong>
- <cve>CVE-2009-3555</cve></p>
-
- <p>A vulnerability exists in the TLS protocol that allows an attacker to
- inject arbitrary requests into an TLS stream during renegotiation.</p>
-
- <p>The TLS implementation used by Tomcat varies with connector. The blocking
- IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
- provided by the JVM. The APR/native connector uses OpenSSL.</p>
-
- <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
- To workaround a vulnerable version of JSSE, use the connector attribute
- <code>allowUnsafeLegacyRenegotiation</code>. It should be set to
- <code>false</code> (the default) to protect against this vulnerability.
- </p>
-
- <p>The NIO connector prior to 7.0.10 is not vulnerable as it does not
- support renegotiation.</p>
-
- <p>The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE
- version used is vulnerable. To workaround a vulnerable version of JSSE,
- use the connector attribute <code>allowUnsafeLegacyRenegotiation</code>.
- It should be set to <code>false</code> (the default) to protect against
- this vulnerability.</p>
-
- <p>The APR/native workarounds are detailed on the
- <a href="security-native.html">APR/native connector security page</a>.
- </p>
-
- <p>Users should be aware that the impact of disabling renegotiation will
- vary with both application and client. In some circumstances disabling
- renegotiation may result in some clients being unable to access the
- application.</p>
-
- <p>This was worked-around in
- <revlink rev="882320">revision 891292</revlink>.</p>
-
- <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
- have this security issue:</p>
-
- <ul>
- <li>For connectors using JSSE implementation provided by JVM:
- Added in Tomcat 7.0.8.<br />
- Requires JRE that supports RFC 5746. For Oracle JRE that is
- <a rel="nofollow"
- href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
- to be 6u22 or later.
- </li>
- <li>For connectors using APR and OpenSSL:<br />
- TBD. See
- <a href="security-native.html">APR/native connector security page</a>.
- </li>
- </ul>
+ <p>No reports</p>
</section>
Modified: tomcat/site/trunk/xdocs/security.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=1510686&r1=1510685&r2=1510686&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Mon Aug 5 19:45:45 2013
@@ -25,6 +25,8 @@
<p>Lists of security problems fixed in released versions of Apache Tomcat
are available:</p>
<ul>
+ <li><a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities
+ </a></li>
<li><a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities
</a></li>
<li><a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org