Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M20
Apache Tomcat 8.5.0 to 8.5.14
Apache Tomcat 8.0.0.RC1 to 8.0.43
Apache Tomcat 7.0.0 to 7.0.77
Earlier, unsupported versions have not been analysed but are likely to
be affected

Description:
The error page mechanism of the Java Servlet Specification requires
that, when an error occurs and an error page is configured for the error
that occurred, the original request and response are forwarded to the
error page. This means that the request is presented to the error page
with the original HTTP method.

If the error page is a static file, expected behaviour is to serve
content of the file as if processing a GET request, regardless of the
actual HTTP method. Tomcat's Default Servlet did not do this. Depending
on the original request this could lead to unexpected and undesirable
results for static error pages including, if the DefaultServlet is
configured to permit writes, the replacement or removal of the custom
error page.

Notes for other user provided error pages:
 - Unless explicitly coded otherwise, JSPs ignore the the HTTP method.
   JSPs used as error pages must must ensure that they handle any error
   dispatch as a GET request, regardless of the actual method.
 - By default, the response generated by a Servlet does depend on the
   HTTP method. Custom Servlets used as error pages must ensure that
   they handle any error dispatch as a GET request, regardless of the
   actual method.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M21 or later
- Upgrade to Apache Tomcat 8.5.15 or later
- Upgrade to Apache Tomcat 8.0.44 or later
- Upgrade to Apache Tomcat 7.0.78 or later

Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by Aniket Nandkishor Kulkarni from Tata Consultancy Services Ltd,
Mumbai, India as a vulnerability that allowed the restrictions on
OPTIONS and TRACE requests to be bypassed. The full implications of this
issue were then identified by the Tomcat Security Team.

History:
2017-06-06 Original advisory

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html

Reply via email to