Category
Security
Release Phase
Resolved
Bug Id
6849727, 6848375
ProductSolaris 9 Operating System
Solaris 10 Operating System
OpenSolaris
Date of Preliminary Release09-Jul-2009
Date of Resolved Release09-Oct-2009
Security Vulnerabilities in Solaris Bundled Tomcat .. (see below)
1. Impact
There are five security vulnerabilities in the Tomcat JSP/Servlet container that
affect Tomcat 5.5 bundled in Solaris 9 and Solaris 10 and Tomcat 6 bundled in OpenSolaris.
The first vulnerability, Directory Traversal issue (CVE-2008-5515), may
allow a remote
unprivileged user who provides a specially crafted
request to a servlet which is using a
RequestDispatcher object to
bypass access control and gain access to unauthorized data.
The second security vulnerability is Denial of Service (CVE-2009-0033). A remote
unprivileged user who provides specially crafted requests to Tomcat via the
AJP (Apache JServ Protocol) connector when it's being used with Apache mod_jk load
balancing, may cause Denial of Service (DoS) to this Tomcat service.
The third vulnerability, bypassing access control (CVE-2009-0580), may allow a remote
unprivileged user who provides a specially crafted URL to bypass access control and
gain access to unauthorized data when FORM based authentication is used with
the MemoryRealm, the DataSourceRealm or JDBCRealm.
The fourth vulnerability, Cross Site Scripting (CVE-2009-0781), may allow a remote
unprivileged user who provides a specially crafted HTTP request to the Tomcat example
JSP application Calendar to inject arbitrary web script and thus gain access to unauthorized data.
The fifth vulnerability, bypassing access control (CVE-2009-0783), may allow a user who
has been granted permission to provide web applications which are served by the Tomcat
instance, to view and modify content of other installed web applications by providing a crafted application.
Additional information regarding these issues is available at:
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform
- Solaris 9 without patch 114016-05
- Solaris 10 without patch 122911-17
- OpenSolaris based upon builds snv_01 through snv_117
x86 Platform
- Solaris 9 without patch 114017-05
- Solaris 10 without patch 122912-17
- OpenSolaris based upon builds snv_01 through snv_117
Note 1: OpenSolaris distributions may include additional bug fixes above
and beyond the build from which it was derived. To determine the base
build of OpenSolaris, the following command can be used:
$ uname -v
snv_111
Note 2: A system is only vulnerable to these issues if Tomcat has been
configured and is running on the system.
To determine if Tomcat 5.5 is installed on Solaris 10 or Solaris 9, a
command such as the following can be used:
$ pkginfo SUNWtcatr
system SUNWtcatr Tomcat Servlet/JSP Container (root)
Tomcat 5.5 can be configured to start in various different ways. For
assistance in determining if Tomcat is configured to run on the system,
consult the documentation which is usually available in the
"/var/apache/tomcat/webapps/tomcat-docs" directory.
To determine if Tomcat 6 is running on OpenSolaris, a command such as
the following can be used:
$ svcs tomcat6
STATE STIME FMRI
online Jun_23 svc:/network/http:tomcat6
Note 3: A system is only vulnerable to the first issue (CVE-2008-5515),
when servlet containers are making use of a RequestDispatcher object.
To determine if such a servlet is installed, search the directory where the
web applications are installed for the use of this object.
For Tomcat 5.5 on Solaris 10 and Solaris 9 a command such as the following can be used:
$ find /var/apache/tomcat55/webapps -exec grep RequestDispatcher {} \; -print
getServletConfig().getServletContext().getRequestDispatcher("/jsptoserv/hello.jsp").forward(request, response);
/var/apache/tomcat55/webapps/jsp-examples/WEB-INF/classes/servletToJsp.java
For Tomcat 6 on OpenSolaris a command such as the following can be used::
$ find /var/tomcat6/webapps -exec grep RequestDispatcher {} \; -print
getServletConfig().getServletContext().getRequestDispatcher("/jsp/jsptoserv/hello.jsp").forward(request, response);
/var/tomcat6/webapps/examples/WEB-INF/classes/servletToJsp.java
Note 4: A system is only vulnerable to the second issue (CVE-2009-0033)
when Apache web server mod_jk load balancing is used. To determine if
the mod_jk load balancing is used, a command such as the following can
be run to search Jk worker file (JkWorkersFile is defined in the Apache
web server configuration files) for balance_workers property.
$ grep balance_workers /etc/apache/workers.properties
worker.balancer.balance_workers=farm1,farm2
Note 5: Solaris 10 and 9 users of Tomcat 4.0 might be also vulnerable to these issues
and they should read Sun Alert ID 239312.
Note 6: Solaris 8 does not include support for Tomcat and so it is not impacted by these issues.
3. Symptoms
There are no predictable symptoms that would indicate that these issues have been exploited.
4. Workaround
There is no workaround for these issues please see Resolution below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 9 with patch 114016-05 or later
- Solaris 10 with patch 122911-17 or later
- OpenSolaris based upon builds snv_118 or later
x86 Platform
- Solaris 9 with patch 114017-05 or later
- Solaris 10 with patch 122912-17 or later
- OpenSolaris based upon builds snv_118 or later
For more information on Security Sun Alerts, see
Modification History
14-Jul-2009: Added Date of Preliminary Release.
09-Oct-2009: Updated Contributing Factors and Resolution sections. Now Resolved.
References
114016-05
114017-05
122911-17
122912-17
References
SUNPATCH:114016-05
SUNPATCH:114017-05
SUNPATCH:122911-17
SUNPATCH:122912-17
AttachmentsThis solution has no attachment