Note: This is an archival copy of Security Sun Alert 239312 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019412.1.
Article ID : 1019412.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10

Category
Security

Release Phase
Resolved

Bug Id
6575001

Product
Solaris 9 Operating System
Solaris 10 Operating System

Date of Workaround Release
30-Jun-2008

Date of Resolved Release
04-Sep-2008

Security Vulnerabilities in Tomcat 4.0 (see below)

1. Impact

There are several vulnerabilities in the Tomcat JSP/Servlet container
which affect Tomcat 4.0 bundled in Solaris 10 and Solaris 9.

These issues may allow a remote or local unprivileged user to cause
a denial of service (DoS), inject arbitrary web script or HTML via
Cross-Site Scripting (XSS) attempts, read arbitrary files and
source code from the server, or obtain the installation path and
other sensitive information.

Additional information regarding these issues is available at:
    * Apache Tomcat 4.x vulnerabilities:
http://tomcat.apache.org/security-4.html

    * CVE-2002-1148 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148

    * CVE-2002-1394 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394

    * CVE-2002-2006 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006

    * CVE-2003-0866 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0866

    * CVE-2005-2090 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090

    * CVE-2005-3164 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3164

    * CVE-2005-3510 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510

    * CVE-2006-3835 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835

    * CVE-2007-0450 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

    * CVE-2007-1355 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355

    * CVE-2007-1358 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358

    * CVE-2007-2450 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450

    * CVE-2007-5461 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 9 without patches 114016-02 and 113146-11
  • Solaris 10 without patch 122911-12
x86 Platform
  • Solaris 9 without patches 114017-02 and 114145-10
  • Solaris 10 without patch 122912-12 
A system is only vulnerable to the described issues if Tomcat 4.0
has been configured and is running on the system.

The following command can be executed to determine if the Tomcat 4.0
JSP/Servlet container is currently running on the system:

    $ /usr/bin/ps -ef | grep "usr/apache/tomcat/bin"
      nobody 11157     1   1 09:18:13 pts/1       0:09 /usr/java/bin/java -Djava.endorsed.dirs=/usr/apache/tomcat/bin:/usr/apache/tomc


Note: Solaris 8 does not include support for Tomcat and so it
is not impacted by these issues.

3. Symptoms

There are no predictable symptoms that would indicate the described
issues have been exploited on a system.

4. Workaround 

There is no workaround. Please see Resolution section below.

5. Resolution

These issues are addressed in the following releases:

SPARC Platform
  • Solaris 9 with patches 114016-02 and 113146-11 or later
  • Solaris 10 with patch 122911-12 or later
x86 Platform
  • Solaris 9 with patches 114017-02 and 114145-10 or later
  • Solaris 10 with patch 122912-12 or later
Note 1:
The above patches will install Tomcat 5.5 alongside the version
which was originally shipped, version 4.0. After installation,
existing applications should be migrated to the new version and the
old version should be decomissioned, in order to fully resolve
these issues.

Note 2:

Tomcat 5.5 is installed via patch in following paths
/usr/apache/tomcat55 and /var/apache/tomcat55 (where original version
4.0 remains in /usr/apache/tomcat and /var/apache/tomcat).

Note 3:

Tomcat 5.5 is started when the Apache 1.3 Web Server is started,
if the Tomcat 5.5 configuration file
/var/apache/tomcat55/conf/server.xml exists and the Apache 1.3 Web
Server configuration file /etc/apache/httpd.conf includes
/etc/apache/tomcat.conf (this file enables Apache Web Server Tomcat
connector).

The existing Tomcat 4.0 is still started, as previously, together
with Apache 1.3 Web Server if the Tomcat 4.0 configuration file
/var/apache/tomcat/conf/server.xml exists and the Apache 1.3 Web
Server configuration file /etc/apache/httpd.conf includes
/etc/apache/tomcat.conf. However, it will now only start if there
is no configuration file for Tomcat 5.5 located at
/var/apache/tomcat55/conf/server.xml.

Note 4:

When using Tomcat 4.0 with Apache 1.3 Web Server Tomcat connector
mod_webapp.so you will need also to migrate to mod_jk.so (by
modifying the /etc/apache/tomcat.conf file, which will have been
updated during patch install and which contains some limited
documentation in the comments).

Note 5:

Some of the vulnerabilities mentioned may require some amount of
reconfiguration or other mitigation in order to fully avoid
exposure. See the advisory published by the Apache organization
for further details about each vulnerability:

http://tomcat.apache.org/security-4.html


For more information on Security Sun Alerts, see

Modification History
04-Sep-2008: Updated Contributing Factors and Resolution sections. Resolved.


References
 122911-12

 122912-12

 114016-02

 113146-11

 114017-02

 114145-10



                              
References

SUNPATCH:113146-11

SUNPATCH:114016-02

SUNPATCH:114017-02

SUNPATCH:114145-10

SUNPATCH:122911-12

SUNPATCH:122912-12



Attachments
This solution has no attachment