You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/12/19 15:10:33 UTC
svn commit: r728026 - in /tomcat/site/trunk: docs/security-4.html
docs/security-5.html docs/security-6.html xdocs/security-4.xml
xdocs/security-5.xml xdocs/security-6.xml
Author: markt
Date: Fri Dec 19 06:10:33 2008
New Revision: 728026
URL: http://svn.apache.org/viewvc?rev=728026&view=rev
Log:
Update security pages with real cause of CVE-2008-2938
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=728026&r1=728025&r2=728026&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Fri Dec 19 06:10:33 2008
@@ -326,28 +326,6 @@
<p>Affects: 4.1.0-4.1.37</p>
- <p>
-<strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
- CVE-2008-2938</a>
-</p>
-
- <p>If a context is configured with <code>allowLinking="true"</code> and the
- connector is configured with <code>URIEncoding="UTF-8"</code> then a
- malformed request may be used to access arbitrary files on the server.
- If the connector is configured with <code>URIEncoding="UTF-8"</code> then
- a malformed request may be used to access arbitrary files within the
- docBase of a context such as web.xml. It should also be noted that
- setting <code>useBodyEncodingForURI="true"</code> has the same effect as
- setting <code>URIEncoding="UTF-8"</code> when processing requests with
- bodies encoded with UTF-8.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=681065&view=rev">
- revision 681065</a>.</p>
-
- <p>Affects: 4.1.0-4.1.37</p>
-
</blockquote>
</p>
</td>
@@ -1072,6 +1050,39 @@
page that called System.exit(1) rather than relying on a bug in an
internal Sun class.</p>
+ <p>
+<strong>important: Directory traversal</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
+ CVE-2008-2938</a>
+</p>
+
+ <p>Originally reported as a Tomcat vulnerability the root cause of this
+ issue is that the JVM does not correctly decode UTF-8 encoded URLs to
+ UTF-8. This exposes a directory traversal vulnerability when the
+ connector uses <code>URIEncoding="UTF-8"</code>. This directory traversal
+ is limited to the docBase of the web application.</p>
+
+ <p>If a context is configured with <code>allowLinking="true"</code> then the
+ directory traversal vulnerability is extended to the entire file system
+ of the host server.</p>
+
+ <p>It should also be noted that setting
+ <code>useBodyEncodingForURI="true"</code> has the same effect as setting
+ <code>URIEncoding="UTF-8"</code> when processing requests with bodies
+ encoded with UTF-8.</p>
+
+ <p>Although the root cause was quickly identified as a JVM issue and that it
+ affected multiple JVMs from multiple vendors, it was decided to report
+ this as a Tomcat vulnerability until such time as the JVM vendors
+ provided updates to resolve this issue. For further information on the
+ status of this issue for your JVM, contact your JVM vendor.</p>
+
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=681065&view=rev">
+ revision 681065</a> that protects against this and any similar character
+ encoding issues that may still exist in the JVM. This work around is
+ included in Tomcat 4.1.39 onwards.</p>
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=728026&r1=728025&r2=728026&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Fri Dec 19 06:10:33 2008
@@ -288,28 +288,6 @@
<p>Affects: 5.5.0-5.5.26</p>
- <p>
-<strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
- CVE-2008-2938</a>
-</p>
-
- <p>If a context is configured with <code>allowLinking="true"</code> and the
- connector is configured with <code>URIEncoding="UTF-8"</code> then a
- malformed request may be used to access arbitrary files on the server.
- If the connector is configured with <code>URIEncoding="UTF-8"</code> then
- a malformed request may be used to access arbitrary files within the
- docBase of a context such as web.xml. It should also be noted that
- setting <code>useBodyEncodingForURI="true"</code> has the same effect as
- setting <code>URIEncoding="UTF-8"</code> when processing requests with
- bodies encoded with UTF-8.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=681029&view=rev">
- revision 681029</a>.</p>
-
- <p>Affects: 5.5.0-5.5.26</p>
-
</blockquote>
</p>
</td>
@@ -964,6 +942,39 @@
<p>The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.</p>
+ <p>
+<strong>important: Directory traversal</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
+ CVE-2008-2938</a>
+</p>
+
+ <p>Originally reported as a Tomcat vulnerability the root cause of this
+ issue is that the JVM does not correctly decode UTF-8 encoded URLs to
+ UTF-8. This exposes a directory traversal vulnerability when the
+ connector uses <code>URIEncoding="UTF-8"</code>. This directory traversal
+ is limited to the docBase of the web application.</p>
+
+ <p>If a context is configured with <code>allowLinking="true"</code> then the
+ directory traversal vulnerability is extended to the entire file system
+ of the host server.</p>
+
+ <p>It should also be noted that setting
+ <code>useBodyEncodingForURI="true"</code> has the same effect as setting
+ <code>URIEncoding="UTF-8"</code> when processing requests with bodies
+ encoded with UTF-8.</p>
+
+ <p>Although the root cause was quickly identified as a JVM issue and that it
+ affected multiple JVMs from multiple vendors, it was decided to report
+ this as a Tomcat vulnerability until such time as the JVM vendors
+ provided updates to resolve this issue. For further information on the
+ status of this issue for your JVM, contact your JVM vendor.</p>
+
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=681029&view=rev">
+ revision 681029</a> that protects against this and any similar character
+ encoding issues that may still exist in the JVM. This work around is
+ included in Tomcat 5.5.27 onwards.</p>
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=728026&r1=728025&r2=728026&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Fri Dec 19 06:10:33 2008
@@ -282,28 +282,6 @@
<p>Affects: 6.0.0-6.0.16</p>
- <p>
-<strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
- CVE-2008-2938</a>
-</p>
-
- <p>If a context is configured with <code>allowLinking="true"</code> and the
- connector is configured with <code>URIEncoding="UTF-8"</code> then a
- malformed request may be used to access arbitrary files on the server.
- If the connector is configured with <code>URIEncoding="UTF-8"</code> then
- a malformed request may be used to access arbitrary files within the
- docBase of a context such as web.xml. It should also be noted that
- setting <code>useBodyEncodingForURI="true"</code> has the same effect as
- setting <code>URIEncoding="UTF-8"</code> when processing requests with
- bodies encoded with UTF-8.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=678137&view=rev">
- revision 678137</a>.</p>
-
- <p>Affects: 6.0.0-6.0.16</p>
-
</blockquote>
</p>
</td>
@@ -679,6 +657,63 @@
</td>
</tr>
</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Not a vulnerability in Tomcat">
+<strong>Not a vulnerability in Tomcat</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>important: Directory traversal</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
+ CVE-2008-2938</a>
+</p>
+
+ <p>Originally reported as a Tomcat vulnerability the root cause of this
+ issue is that the JVM does not correctly decode UTF-8 encoded URLs to
+ UTF-8. This exposes a directory traversal vulnerability when the
+ connector uses <code>URIEncoding="UTF-8"</code>. This directory traversal
+ is limited to the docBase of the web application.</p>
+
+ <p>If a context is configured with <code>allowLinking="true"</code> then the
+ directory traversal vulnerability is extended to the entire file system
+ of the host server.</p>
+
+ <p>It should also be noted that setting
+ <code>useBodyEncodingForURI="true"</code> has the same effect as setting
+ <code>URIEncoding="UTF-8"</code> when processing requests with bodies
+ encoded with UTF-8.</p>
+
+ <p>Although the root cause was quickly identified as a JVM issue and that it
+ affected multiple JVMs from multiple vendors, it was decided to report
+ this as a Tomcat vulnerability until such time as the JVM vendors
+ provided updates to resolve this issue. For further information on the
+ status of this issue for your JVM, contact your JVM vendor.</p>
+
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=678137&view=rev">
+ revision 678137</a> that protects against this and any similar character
+ encoding issues that may still exist in the JVM. This work around is
+ included in Tomcat 6.0.18 onwards.</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
</td>
</tr>
<!--FOOTER SEPARATOR-->
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=728026&r1=728025&r2=728026&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Fri Dec 19 06:10:33 2008
@@ -94,26 +94,6 @@
<p>Affects: 4.1.0-4.1.37</p>
- <p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
- CVE-2008-2938</a></p>
-
- <p>If a context is configured with <code>allowLinking="true"</code> and the
- connector is configured with <code>URIEncoding="UTF-8"</code> then a
- malformed request may be used to access arbitrary files on the server.
- If the connector is configured with <code>URIEncoding="UTF-8"</code> then
- a malformed request may be used to access arbitrary files within the
- docBase of a context such as web.xml. It should also be noted that
- setting <code>useBodyEncodingForURI="true"</code> has the same effect as
- setting <code>URIEncoding="UTF-8"</code> when processing requests with
- bodies encoded with UTF-8.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=681065&view=rev">
- revision 681065</a>.</p>
-
- <p>Affects: 4.1.0-4.1.37</p>
-
</section>
<section name="Fixed in Apache Tomcat 4.1.37">
@@ -522,6 +502,37 @@
page that called System.exit(1) rather than relying on a bug in an
internal Sun class.</p>
+ <p><strong>important: Directory traversal</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
+ CVE-2008-2938</a></p>
+
+ <p>Originally reported as a Tomcat vulnerability the root cause of this
+ issue is that the JVM does not correctly decode UTF-8 encoded URLs to
+ UTF-8. This exposes a directory traversal vulnerability when the
+ connector uses <code>URIEncoding="UTF-8"</code>. This directory traversal
+ is limited to the docBase of the web application.</p>
+
+ <p>If a context is configured with <code>allowLinking="true"</code> then the
+ directory traversal vulnerability is extended to the entire file system
+ of the host server.</p>
+
+ <p>It should also be noted that setting
+ <code>useBodyEncodingForURI="true"</code> has the same effect as setting
+ <code>URIEncoding="UTF-8"</code> when processing requests with bodies
+ encoded with UTF-8.</p>
+
+ <p>Although the root cause was quickly identified as a JVM issue and that it
+ affected multiple JVMs from multiple vendors, it was decided to report
+ this as a Tomcat vulnerability until such time as the JVM vendors
+ provided updates to resolve this issue. For further information on the
+ status of this issue for your JVM, contact your JVM vendor.</p>
+
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=681065&view=rev">
+ revision 681065</a> that protects against this and any similar character
+ encoding issues that may still exist in the JVM. This work around is
+ included in Tomcat 4.1.39 onwards.</p>
+
</section>
</body>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=728026&r1=728025&r2=728026&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Fri Dec 19 06:10:33 2008
@@ -79,26 +79,6 @@
<p>Affects: 5.5.0-5.5.26</p>
- <p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
- CVE-2008-2938</a></p>
-
- <p>If a context is configured with <code>allowLinking="true"</code> and the
- connector is configured with <code>URIEncoding="UTF-8"</code> then a
- malformed request may be used to access arbitrary files on the server.
- If the connector is configured with <code>URIEncoding="UTF-8"</code> then
- a malformed request may be used to access arbitrary files within the
- docBase of a context such as web.xml. It should also be noted that
- setting <code>useBodyEncodingForURI="true"</code> has the same effect as
- setting <code>URIEncoding="UTF-8"</code> when processing requests with
- bodies encoded with UTF-8.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=681029&view=rev">
- revision 681029</a>.</p>
-
- <p>Affects: 5.5.0-5.5.26</p>
-
</section>
<section name="Fixed in Apache Tomcat 5.5.26">
@@ -413,6 +393,37 @@
<p>The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.</p>
+ <p><strong>important: Directory traversal</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
+ CVE-2008-2938</a></p>
+
+ <p>Originally reported as a Tomcat vulnerability the root cause of this
+ issue is that the JVM does not correctly decode UTF-8 encoded URLs to
+ UTF-8. This exposes a directory traversal vulnerability when the
+ connector uses <code>URIEncoding="UTF-8"</code>. This directory traversal
+ is limited to the docBase of the web application.</p>
+
+ <p>If a context is configured with <code>allowLinking="true"</code> then the
+ directory traversal vulnerability is extended to the entire file system
+ of the host server.</p>
+
+ <p>It should also be noted that setting
+ <code>useBodyEncodingForURI="true"</code> has the same effect as setting
+ <code>URIEncoding="UTF-8"</code> when processing requests with bodies
+ encoded with UTF-8.</p>
+
+ <p>Although the root cause was quickly identified as a JVM issue and that it
+ affected multiple JVMs from multiple vendors, it was decided to report
+ this as a Tomcat vulnerability until such time as the JVM vendors
+ provided updates to resolve this issue. For further information on the
+ status of this issue for your JVM, contact your JVM vendor.</p>
+
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=681029&view=rev">
+ revision 681029</a> that protects against this and any similar character
+ encoding issues that may still exist in the JVM. This work around is
+ included in Tomcat 5.5.27 onwards.</p>
+
</section>
</body>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=728026&r1=728025&r2=728026&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Fri Dec 19 06:10:33 2008
@@ -73,26 +73,6 @@
<p>Affects: 6.0.0-6.0.16</p>
- <p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
- CVE-2008-2938</a></p>
-
- <p>If a context is configured with <code>allowLinking="true"</code> and the
- connector is configured with <code>URIEncoding="UTF-8"</code> then a
- malformed request may be used to access arbitrary files on the server.
- If the connector is configured with <code>URIEncoding="UTF-8"</code> then
- a malformed request may be used to access arbitrary files within the
- docBase of a context such as web.xml. It should also be noted that
- setting <code>useBodyEncodingForURI="true"</code> has the same effect as
- setting <code>URIEncoding="UTF-8"</code> when processing requests with
- bodies encoded with UTF-8.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=678137&view=rev">
- revision 678137</a>.</p>
-
- <p>Affects: 6.0.0-6.0.16</p>
-
</section>
@@ -305,6 +285,40 @@
<p>Affects: 6.0.0-6.0.5</p>
</section>
+ <section name="Not a vulnerability in Tomcat">
+ <p><strong>important: Directory traversal</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
+ CVE-2008-2938</a></p>
+
+ <p>Originally reported as a Tomcat vulnerability the root cause of this
+ issue is that the JVM does not correctly decode UTF-8 encoded URLs to
+ UTF-8. This exposes a directory traversal vulnerability when the
+ connector uses <code>URIEncoding="UTF-8"</code>. This directory traversal
+ is limited to the docBase of the web application.</p>
+
+ <p>If a context is configured with <code>allowLinking="true"</code> then the
+ directory traversal vulnerability is extended to the entire file system
+ of the host server.</p>
+
+ <p>It should also be noted that setting
+ <code>useBodyEncodingForURI="true"</code> has the same effect as setting
+ <code>URIEncoding="UTF-8"</code> when processing requests with bodies
+ encoded with UTF-8.</p>
+
+ <p>Although the root cause was quickly identified as a JVM issue and that it
+ affected multiple JVMs from multiple vendors, it was decided to report
+ this as a Tomcat vulnerability until such time as the JVM vendors
+ provided updates to resolve this issue. For further information on the
+ status of this issue for your JVM, contact your JVM vendor.</p>
+
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=678137&view=rev">
+ revision 678137</a> that protects against this and any similar character
+ encoding issues that may still exist in the JVM. This work around is
+ included in Tomcat 6.0.18 onwards.</p>
+
+ </section>
+
</body>
</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org