[Bug 1140314] New: CVE-2013-4444 tomcat: remote code execution via uploaded JSP
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1140314
Bug ID: 1140314
Summary: CVE-2013-4444 tomcat: remote code execution via
uploaded JSP
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: vdanen(a)redhat.com
CC: akurtako(a)redhat.com, dknox(a)redhat.com,
gmurphy(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jdoyle(a)redhat.com,
krzysztof.daniel(a)gmail.com, lgao(a)redhat.com,
myarboro(a)redhat.com, pslavice(a)redhat.com,
rsvoboda(a)redhat.com, weli(a)redhat.com
As reported fixed in Apache Tomcat 7.0.40 [1]:
In very limited circumstances, it was possible for an attacker to upload a
malicious JSP to a Tomcat server and then trigger the execution of that JSP.
While Remote Code Execution would normally be viewed as a critical
vulnerability, the circumstances under which this is possible are, in the view
of the Tomcat security team, sufficiently limited that this vulnerability is
viewed as important.
For this attack to succeed all of the following requirements must be met:
1. Using Oracle Java 1.7.0 update 25 or earlier (or any other Java
implementation where java.io.File is vulnerable to null byte injection).
2. A web application must be deployed to a vulnerable version of Tomcat.
3. The web application must use the Servlet 3.0 File Upload feature.
4. A file location within a deployed web application must be writeable by the
user the Tomcat process is running as. The Tomcat security documentation
recommends against this.
5. A custom listener for JMX connections (e.g. the JmxRemoteListener that is
not enabled by default) must be configured and be able to load classes from
Tomcat's common class loader (i.e. the custom JMX listener must be placed in
Tomcat's lib directory).
6. The custom JMX listener must be bound to an address other than localhost for
a remote attack (it is bound to localhost by default). If the custom JMX
listener is bound to localhost, a local attack will still be possible.
Note that requirements 2 and 3 may be replaced with the following requirement:
7. A web application is deployed that uses Apache Commons File Upload 1.2.1 or
earlier.
In this case (requirements 1, 4, 5, 6 and 7 met) a similar vulnerability may
exist on any Servlet container, not just Apache Tomcat.
This was fixed in revision 1470437. [2] (April 22, 2013)
This issue was identified by Pierre Ernst of the VMware Security Engineering,
Communications and Response group (vSECR) and reported to the Tomcat security
team via the Pivotal security team on 5 September 2014. It was made public on
10 September 2014.
Affects: 7.0.0 to 7.0.39
[1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
[2] http://svn.apache.org/viewvc?view=revision&revision=1470437
Statement:
This issue did not affect the versions of tomcat as shipped with Red Hat
Enterprise Linux 5, 6, or 7 nor the versions of tomcat as shipped with JBoss
Enterprise Web Server.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=NIGlAdEiPm&a=cc_unsubscribe
8 years, 2 months
[Bug 1203652] New: tomcat: Duplicate Maven metadata for tomcat-jdbc
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1203652
Bug ID: 1203652
Summary: tomcat: Duplicate Maven metadata for tomcat-jdbc
Product: Fedora
Version: 22
Component: tomcat
Keywords: Regression
Assignee: ivan.afonichev(a)gmail.com
Reporter: mizdebsk(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, sgallagh(a)redhat.com
Description of problem:
Tomcat installs duplicate metadata for tomcat-jdbc Maven artifact.
Version-Release number of selected component (if applicable):
7.0.59-3
Steps to Reproduce:
xmvn-resolve org.apache.tomcat:tomcat-jdbc
Actual results:
[WARNING] Ignoring metadata for artifact
org.apache.tomcat:tomcat-jdbc:jar:SYSTEM as it has duplicate metadata
[WARNING] Ignoring metadata for artifact
org.apache.tomcat:tomcat-jdbc:pom:SYSTEM as it has duplicate metadata
[ERROR] Unable to resolve artifact org.apache.tomcat:tomcat-jdbc:jar:SYSTEM
Expected results:
/usr/share/java/tomcat/tomcat-jdbc.jar
Additional info:
Regression was introduced in:
commit ce74ddbcd3beba22fb70cd2dc890efa7409bf97f
Author: Stephen Gallagher <sgallagh(a)redhat.com>
Date: Tue Mar 3 14:58:21 2015 -0500
Revert to Tomcat 7
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=wfJxJ9VXJ8&a=cc_unsubscribe
8 years, 2 months
[Bug 1301160] New: itext-toolbox wrapper doesn't worki
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1301160
Bug ID: 1301160
Summary: itext-toolbox wrapper doesn't worki
Product: Fedora
Version: 23
Component: itext
Assignee: puntogil(a)libero.it
Reporter: luto(a)kernel.org
QA Contact: extras-qa(a)fedoraproject.org
CC: andjrobins(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jochen(a)herr-schmitt.de, puntogil(a)libero.it
itext-toolbox fails:
$ itext-toolbox
Java virtual machine used: /usr/share/java-utils/java-wrapper
classpath used:
/usr/share/java/bcprov.jar:/usr/share/java/bcmail.jar:/usr/share/java/bctsp.jar:/usr/share/java/itext.jar:/usr/share/java/itext-toolbox.jar
main class used: com.lowagie.toolbox.Toolbox
flags used:
options used: '-cp
/usr/share/java/bcprov.jar:/usr/share/java/bcmail.jar:/usr/share/java/bctsp.jar:/usr/share/java/itext.jar:/usr/share/java/itext-toolbox.jar'
arguments used:
Unrecognized option: -cp
/usr/share/java/bcprov.jar:/usr/share/java/bcmail.jar:/usr/share/java/bctsp.jar:/usr/share/java/itext.jar:/usr/share/java/itext-toolbox.jar
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit.
I think the right fix is to switch to %jpackage_script. See
https://fedoraproject.org/wiki/Packaging:Java#Wrapper_Scripts
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 2 months