Author: markt Date: Mon Aug 5 19:45:45 2013 New Revision: 1510686 URL: http://svn.apache.org/r1510686 Log: Add Tomcat 8 security page
Added: tomcat/site/trunk/docs/security-8.html (with props) tomcat/site/trunk/xdocs/security-8.xml - copied, changed from r1510677, tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security.html tomcat/site/trunk/xdocs/security.xml Added: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1510686&view=auto ============================================================================== --- tomcat/site/trunk/docs/security-8.html (added) +++ tomcat/site/trunk/docs/security-8.html Mon Aug 5 19:45:45 2013 @@ -0,0 +1,345 @@ +<html> +<head> +<META http-equiv="Content-Type" content="text/html; charset=utf-8"> +<title>Apache Tomcat - Apache Tomcat 8 vulnerabilities</title> +<meta name="author" content="Apache Tomcat Project"> +<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"> +<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"> +</head> +<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"> +<table border="0" width="100%" cellspacing="0"> +<!--PAGE HEADER--> +<tr> +<td> +<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif"> +<h1>Apache Tomcat</h1> +</font></td><td> +<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td> +</tr> +</table> +<div class="searchbox noPrint"> +<form action="http://www.google.com/search" method="get"> +<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit"> +</form> +</div> +<table border="0" width="100%" cellspacing="4"> +<!--HEADER SEPARATOR--> +<tr> +<td colspan="2"> +<hr noshade size="1"> +</td> +</tr> +<tr> +<!--LEFT SIDE NAVIGATION--> +<td width="20%" valign="top" nowrap="true" class="noPrint"> +<p> +<strong>Apache Tomcat</strong> +</p> +<ul> +<li> +<a href="./index.html">Home</a> +</li> +<li> +<a href="./taglibs/">Taglibs</a> +</li> +<li> +<a href="./maven-plugin.html">Maven Plugin</a> +</li> +</ul> +<p> +<strong>Download</strong> +</p> +<ul> +<li> +<a href="./whichversion.html">Which version?</a> +</li> +<li> +<a href="./download-70.cgi">Tomcat 7.0</a> +</li> +<li> +<a href="./download-60.cgi">Tomcat 6.0</a> +</li> +<li> +<a href="./download-connectors.cgi">Tomcat Connectors</a> +</li> +<li> +<a href="./download-native.cgi">Tomcat Native</a> +</li> +<li> +<a href="http://archive.apache.org/dist/tomcat/">Archives</a> +</li> +</ul> +<p> +<strong>Documentation</strong> +</p> +<ul> +<li> +<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a> +</li> +<li> +<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a> +</li> +<li> +<a href="./connectors-doc/">Tomcat Connectors</a> +</li> +<li> +<a href="./native-doc/">Tomcat Native</a> +</li> +<li> +<a href="http://wiki.apache.org/tomcat/FrontPage">Wiki</a> +</li> +<li> +<a href="./migration.html">Migration Guide</a> +</li> +</ul> +<p> +<strong>Problems?</strong> +</p> +<ul> +<li> +<a href="./security.html">Security Reports</a> +</li> +<li> +<a href="./findhelp.html">Find help</a> +</li> +<li> +<a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a> +</li> +<li> +<a href="./lists.html">Mailing Lists</a> +</li> +<li> +<a href="./bugreport.html">Bug Database</a> +</li> +<li> +<a href="./irc.html">IRC</a> +</li> +</ul> +<p> +<strong>Get Involved</strong> +</p> +<ul> +<li> +<a href="./getinvolved.html">Overview</a> +</li> +<li> +<a href="./svn.html">SVN Repositories</a> +</li> +<li> +<a href="./ci.html">Buildbot</a> +</li> +<li> +<a href="https://reviews.apache.org/groups/tomcat/">Reviewboard</a> +</li> +<li> +<a href="./tools.html">Tools</a> +</li> +</ul> +<p> +<strong>Media</strong> +</p> +<ul> +<li> +<a href="http://blogs.apache.org/tomcat/">Blog</a> +</li> +<li> +<a href="http://twitter.com/theapachetomcat">Twitter</a> +</li> +</ul> +<p> +<strong>Misc</strong> +</p> +<ul> +<li> +<a href="./whoweare.html">Who We Are</a> +</li> +<li> +<a href="./heritage.html">Heritage</a> +</li> +<li> +<a href="http://www.apache.org">Apache Home</a> +</li> +<li> +<a href="./resources.html">Resources</a> +</li> +<li> +<a href="./contact.html">Contact</a> +</li> +<li> +<a href="./legal.html">Legal</a> +</li> +<li> +<a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a> +</li> +<li> +<a href="http://www.apache.org/foundation/thanks.html">Thanks</a> +</li> +</ul> +</td> +<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody"> +<table border="0" cellspacing="0" cellpadding="2" width="100%"> +<tr> +<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Table of Contents"> +<!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td> +</tr> +<tr> +<td> +<p> +<blockquote> + +<ul> +<li> +<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_8.0.0-RC1">Fixed in Apache Tomcat 8.0.0-RC1</a> +</li> +<li> +<a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a> +</li> +</ul> + +</blockquote> +</p> +</td> +</tr> +<tr> +<td> +<br> +</td> +</tr> +</table> +<table border="0" cellspacing="0" cellpadding="2" width="100%"> +<tr> +<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Apache Tomcat 8.x vulnerabilities"> +<!--()--></a><a name="Apache_Tomcat_8.x_vulnerabilities"><strong>Apache Tomcat 8.x vulnerabilities</strong></a></font></td> +</tr> +<tr> +<td> +<p> +<blockquote> + +<p>This page lists all security vulnerabilities fixed in released versions + of Apache Tomcat 8.x. Each vulnerability is given a + <a href="security-impact.html">security impact rating</a> by the Apache + Tomcat security team — please note that this rating may vary from + platform to platform. We also list the versions of Apache Tomcat the flaw + is known to affect, and where a flaw has not been verified list the + version with a question mark.</p> + + +<p> +<strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities + but have either been incorrectly reported against Tomcat or where Tomcat + provides a workaround are listed at the end of this page.</p> + + +<p>Please note that binary patches are never provided. If you need to + apply a source code patch, use the building instructions for the + Apache Tomcat version that you are using. For Tomcat 8.0 those are + <a href="/tomcat-8.0-doc/building.html"><code>building.html</code></a> and + <a href="/tomcat-8.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>. + Both files can be found in the <code>webapps/docs</code> subdirectory + of a binary distributive. You may also want to review the + <a href="/tomcat-8.0-doc/security-howto.html">Security Considerations</a> + page in the documentation.</p> + + +<p>If you need help on building or configuring Tomcat or other help on + following the instructions to mitigate the known vulnerabilities listed + here, please send your questions to the public + <a href="lists.html">Tomcat Users mailing list</a> + +</p> + + +<p>If you have encountered an unlisted security vulnerability or other + unexpected behaviour that has <a href="security-impact.html">security + impact</a>, or if the descriptions here are incomplete, + please report them privately to the + <a href="security.html">Tomcat Security Team</a>. Thank you. + </p> + + +</blockquote> +</p> +</td> +</tr> +<tr> +<td> +<br> +</td> +</tr> +</table> +<table border="0" cellspacing="0" cellpadding="2" width="100%"> +<tr> +<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 8.0.0-RC1"> +<!--()--></a><a name="Fixed_in_Apache_Tomcat_8.0.0-RC1"><strong>Fixed in Apache Tomcat 8.0.0-RC1</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 August 2013</strong></font></td> +</tr> +<tr> +<td colspan="2"> +<p> +<blockquote> + + +<p>No reports</p> + + +</blockquote> +</p> +</td> +</tr> +<tr> +<td> +<br> +</td> +</tr> +</table> +<table border="0" cellspacing="0" cellpadding="2" width="100%"> +<tr> +<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Not a vulnerability in Tomcat"> +<!--()--></a><a name="Not_a_vulnerability_in_Tomcat"><strong>Not a vulnerability in Tomcat</strong></a></font></td> +</tr> +<tr> +<td> +<p> +<blockquote> + + +<p>No reports</p> + + +</blockquote> +</p> +</td> +</tr> +<tr> +<td> +<br> +</td> +</tr> +</table> +</td> +</tr> +<!--FOOTER SEPARATOR--> +<tr> +<td colspan="2"> +<hr noshade size="1"> +</td> +</tr> +<!--PAGE FOOTER--> +<tr> +<td colspan="2"> +<div align="center"> +<font color="#525D76" size="-1"><em> + Copyright © 1999-2013, The Apache Software Foundation + <br> + Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat + project logo are trademarks of the Apache Software Foundation. + </em></font> +</div> +</td> +</tr> +</table> +</body> +</html> Propchange: tomcat/site/trunk/docs/security-8.html ------------------------------------------------------------------------------ svn:eol-style = native Modified: tomcat/site/trunk/docs/security.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1510686&r1=1510685&r2=1510686&view=diff ============================================================================== --- tomcat/site/trunk/docs/security.html (original) +++ tomcat/site/trunk/docs/security.html Mon Aug 5 19:45:45 2013 @@ -209,6 +209,11 @@ <ul> <li> +<a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities + </a> +</li> + +<li> <a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities </a> </li> Copied: tomcat/site/trunk/xdocs/security-8.xml (from r1510677, tomcat/site/trunk/xdocs/security-7.xml) URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?p2=tomcat/site/trunk/xdocs/security-8.xml&p1=tomcat/site/trunk/xdocs/security-7.xml&r1=1510677&r2=1510686&rev=1510686&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Mon Aug 5 19:45:45 2013 @@ -3,7 +3,7 @@ <properties> <author>Apache Tomcat Project</author> - <title>Apache Tomcat 7 vulnerabilities</title> + <title>Apache Tomcat 8 vulnerabilities</title> </properties> <body> @@ -12,9 +12,9 @@ <toc/> </section> - <section name="Apache Tomcat 7.x vulnerabilities"> + <section name="Apache Tomcat 8.x vulnerabilities"> <p>This page lists all security vulnerabilities fixed in released versions - of Apache Tomcat 7.x. Each vulnerability is given a + of Apache Tomcat 8.x. Each vulnerability is given a <a href="security-impact.html">security impact rating</a> by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw @@ -27,12 +27,12 @@ <p>Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the - Apache Tomcat version that you are using. For Tomcat 7.0 those are - <a href="/tomcat-7.0-doc/building.html"><code>building.html</code></a> and - <a href="/tomcat-7.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>. + Apache Tomcat version that you are using. For Tomcat 8.0 those are + <a href="/tomcat-8.0-doc/building.html"><code>building.html</code></a> and + <a href="/tomcat-8.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>. Both files can be found in the <code>webapps/docs</code> subdirectory of a binary distributive. You may also want to review the - <a href="/tomcat-7.0-doc/security-howto.html">Security Considerations</a> + <a href="/tomcat-8.0-doc/security-howto.html">Security Considerations</a> page in the documentation.</p> <p>If you need help on building or configuring Tomcat or other help on @@ -50,740 +50,15 @@ </section> - <section name="Fixed in Apache Tomcat 7.0.40" rtext="released 9 May 2013"> - - <p><strong>Moderate: Information disclosure</strong> - <cve>CVE-2013-2071</cve></p> - - <p>Bug <bug>54178</bug> described a scenario where elements of a previous - request may be exposed to a current request. This was very difficult to - exploit deliberately but fairly likely to happen unexpectedly if an - application used AsyncListeners that threw RuntimeExceptions.</p> - - <p>This was fixed in revision <revlink rev="1471372">1471372</revlink>.</p> - - <p>The root cause of the problem was identified as a Tomcat bug on 2 April - 2013. The Tomcat security team identified the security implications on - 24 April 2013 and made those details public on 10 May 2013.</p> - - <p>Affects: 7.0.0-7.0.39</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.33" rtext="released 21 Nov 2012"> - - <p><strong>Important: Session fixation</strong> - <cve>CVE-2013-2067</cve></p> - - <p>FORM authentication associates the most recent request requiring - authentication with the current session. By repeatedly sending a request - for an authenticated resource while the victim is completing the login - form, an attacker could inject a request that would be executed using - the victim's credentials.</p> - - <p>This was fixed in revision <revlink rev="1408044">1408044</revlink>.</p> - - <p>This issue was identified by the Tomcat security team on 15 Oct 2012 and - made public on 10 May 2013.</p> - - <p>Affects: 7.0.0-7.0.32</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.32" rtext="released 9 Oct 2012"> - - <p><strong>Important: Bypass of CSRF prevention filter</strong> - <cve>CVE-2012-4431</cve></p> - - <p>The CSRF prevention filter could be bypassed if a request was made to a - protected resource without a session identifier present in the request. - </p> - - <p>This was fixed in revision <revlink rev="1393088">1393088</revlink>.</p> - - <p>This issue was identified by the Tomcat security team on 8 September 2012 - and made public on 4 December 2012.</p> - - <p>Affects: 7.0.0-7.0.31</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.30" rtext="released 6 Sep 2012"> - - <p><strong>Important: Denial of service</strong> - <cve>CVE-2012-3544</cve></p> - - <p>When processing a request submitted using the chunked transfer encoding, - Tomcat ignored but did not limit any extensions that were included. This - allows a client to perform a limited DOS by streaming an unlimited - amount of data to the server.</p> - - <p>This was fixed in revisions <revlink rev="1378702">1378702</revlink> and - <revlink rev="1378921">1378921</revlink>.</p> - - <p>This issue was reported to the Tomcat security team on 10 November 2011 - and made public on 10 May 2013.</p> - - <p>Affects: 7.0.0-7.0.29</p> - - <p><strong>Moderate: DIGEST authentication weakness</strong> - <cve>CVE-2012-3439</cve></p> - - <p>Three weaknesses in Tomcat's implementation of DIGEST authentication - were identified and resolved: - </p> - <ol> - <li>Tomcat tracked client rather than server nonces and nonce count.</li> - <li>When a session ID was present, authentication was bypassed.</li> - <li>The user name and password were not checked before when indicating - that a nonce was stale.</li> - </ol> - <p> - These issues reduced the security of DIGEST authentication making - replay attacks possible in some circumstances. - </p> - - <p>This was fixed in revision <revlink rev="1377807">1377807</revlink>.</p> - - <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team - on 19 July 2012. The second and third issues were discovered by the - Tomcat security team during the resulting code review. All three issues - were made public on 5 November 2012.</p> - - <p>Affects: 7.0.0-7.0.29</p> - - <p><strong>Important: Bypass of security constraints</strong> - <cve>CVE-2012-3546</cve></p> - - <p>When using FORM authentication it was possible to bypass the security - constraint checks in the FORM authenticator by appending - <code>/j_security_check</code> to the end of the URL if some other - component (such as the Single-Sign-On valve) had called - <code>request.setUserPrincipal()</code> before the call to - <code>FormAuthenticator#authenticate()</code>. - </p> - - <p>This was fixed in revision <revlink rev="1377892">1377892</revlink>.</p> - - <p>This issue was identified by the Tomcat security team on 13 July 2012 and - made public on 4 December 2012.</p> - - <p>Affects: 7.0.0-7.0.29</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.28" rtext="released 19 Jun 2012"> - - <p><strong>Important: Denial of service</strong> - <cve>CVE-2012-2733</cve></p> - - <p>The checks that limited the permitted size of request headers were - implemented too late in the request parsing process for the HTTP NIO - connector. This enabled a malicious user to trigger an - OutOfMemoryError by sending a single request with very large headers. - </p> - - <p>This was fixed in revision <revlink rev="1350301">1350301</revlink>.</p> - - <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June - 2012 and made public on 5 November 2012.</p> - - <p>Affects: 7.0.0-7.0.27</p> - - <p><strong>Important: Denial of service</strong> - <cve>CVE-2012-4534</cve></p> - - <p>When using the NIO connector with sendfile and HTTPS enabled, if a client - breaks the connection while reading the response an infinite loop is - entered leading to a denial of service. This was originally reported as - <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=52858">bug - 52858</a>. - </p> - - <p>This was fixed in revision <revlink rev="1340218">1340218</revlink>.</p> - - <p>The security implications of this bug were reported to the Tomcat - security team by Arun Neelicattu of the Red Hat Security Response Team on - 3 October 2012 and made public on 4 December 2012.</p> - - <p>Affects: 7.0.0-7.0.27</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.23" rtext="released 25 Nov 2011"> - - <p><strong>Important: Denial of service</strong> - <cve>CVE-2012-0022</cve></p> - - <p>Analysis of the recent hash collision vulnerability identified unrelated - inefficiencies with Apache Tomcat's handling of large numbers of - parameters and parameter values. These inefficiencies could allow an - attacker, via a specially crafted request, to cause large amounts of CPU - to be used which in turn could create a denial of service. The issue was - addressed by modifying the Tomcat parameter handling code to efficiently - process large numbers of parameters and parameter values.</p> - - <p>This was fixed in revisions <revlink rev="1189899">1189899</revlink>, - <revlink rev="1190372">1190372</revlink>, - <revlink rev="1190482">1190482</revlink>, - <revlink rev="1194917">1194917</revlink>, - <revlink rev="1195225">1195225</revlink>, - <revlink rev="1195226">1195226</revlink>, - <revlink rev="1195537">1195537</revlink>, - <revlink rev="1195909">1195909</revlink>, - <revlink rev="1195944">1195944</revlink>, - <revlink rev="1195951">1195951</revlink>, - <revlink rev="1195977">1195977</revlink> and - <revlink rev="1198641">1198641</revlink>.</p> - - <p>This was identified by the Tomcat security team on 21 October 2011 and - made public on 17 January 2012.</p> - - <p>Affects: 7.0.0-7.0.22</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.22" rtext="released 1 Oct 2011"> - - <p><strong>Important: Information disclosure</strong> - <cve>CVE-2011-3375</cve></p> - - <p>For performance reasons, information parsed from a request is often - cached in two places: the internal request object and the internal - processor object. These objects are not recycled at exactly the same - time. When certain errors occur that needed to be added to the access - log, the access logging process triggers the re-population of the request - object after it has been recycled. However, the request object was not - recycled before being used for the next request. That lead to information - leakage (e.g. remote IP address, HTTP headers) from the previous request - to the next request. The issue was resolved be ensuring that the request - and response objects were recycled after being re-populated to generate - the necessary access log entries.</p> - - <p>This was fixed in <revlink rev="1176592">revision 1176592</revlink>.</p> - - <p>This was identified by the Tomcat security team on 22 September 2011 and - made public on 17 January 2012.</p> - - <p>Affects: 7.0.0-7.0.21</p> - - <p><strong>Low: Privilege Escalation</strong> - <cve>CVE-2011-3376</cve></p> - - <p>This issue only affects environments running web applications that are - not trusted (e.g. shared hosting environments). The Servlets that - implement the functionality of the Manager application that ships with - Apache Tomcat should only be available to Contexts (web applications) - that are marked as privileged. However, this check was not being made. - This allowed an untrusted web application to use the functionality of the - Manager application. This could be used to obtain information on running - web applications as well as deploying additional web applications. - </p> - - <p>This was fixed in <revlink rev="1176588">revision 1176588</revlink>.</p> - - <p>This was identified by Ate Douma on 27 September 2011 and made public - on 8 November 2011.</p> - - <p>Affects: 7.0.0-7.0.21</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.21" rtext="released 1 Sep 2011"> - - <p><strong>Important: Authentication bypass and information disclosure - </strong> - <cve>CVE-2011-3190</cve></p> - - <p>Apache Tomcat supports the AJP protocol which is used with reverse - proxies to pass requests and associated data about the request from the - reverse proxy to Tomcat. The AJP protocol is designed so that when a - request includes a request body, an unsolicited AJP message is sent to - Tomcat that includes the first part (or possibly all) of the request - body. In certain circumstances, Tomcat did not process this message as a - request body but as a new request. This permitted an attacker to have - full control over the AJP message permitting authentication bypass and - information disclosure. This vulnerability only occurs when all of the - following are true: - <ul> - <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used - </li> - <li>POST requests are accepted</li> - <li>The request body is not processed</li> - </ul> - </p> - - <p>This was fixed in <revlink rev="1162958">revision 1162958</revlink>.</p> - - <p>This was reported publicly on 20th August 2011.</p> - - <p>Affects: 7.0.0-7.0.20</p> - - <p>Mitigation options:</p> - <ul> - <li>Upgrade to Tomcat 7.0.21</li> - <li>Apply the appropriate <revlink rev="1162958">patch</revlink></li> - <li>Configure both Tomcat and the reverse proxy to use a shared secret.<br /> - (It is "<code>requiredSecret</code>" attribute in AJP <Connector>, - "<code>worker.<i>workername</i>.secret</code>" directive for mod_jk. - The mod_proxy_ajp module currently does not support shared secrets).</li> - </ul> - - <p>References:</p> - <ul> - <li><a href="/tomcat-7.0-doc/config/ajp.html">AJP Connector documentation (Tomcat 7.0)</a></li> - <li><a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a></li> - </ul> - </section> - - <section name="Fixed in Apache Tomcat 7.0.20" rtext="released 11 Aug 2011"> - - <p><strong>Important: Information disclosure</strong> - <cve>CVE-2011-2729</cve></p> - - <p>Due to a bug in the capabilities code, jsvc (the service wrapper for - Linux that is part of the Commons Daemon project) does not drop - capabilities allowing the application to access files and directories - owned by superuser. This vulnerability only occurs when all of the - following are true: - <ul> - <li>Tomcat is running on a Linux operating system</li> - <li>jsvc was compiled with libcap</li> - <li>-user parameter is used</li> - </ul> - Affected Tomcat versions shipped with source files for jsvc that included - this vulnerability. - </p> - - <p>This was fixed in <revlink rev="1153379">revision 1153379</revlink>.</p> - - <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public - on 12 August 2011.</p> - - <p>Affects: 7.0.0-7.0.19</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.19" rtext="released 19 Jul 2011"> - - <p><strong>Low: Information disclosure</strong> - <cve>CVE-2011-2526</cve></p> - - <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR - connectors. sendfile is used automatically for content served via the - DefaultServlet and deployed web applications may use it directly via - setting request attributes. These request attributes were not validated. - When running under a security manager, this lack of validation allowed a - malicious web application to do one or more of the following that would - normally be prevented by a security manager: - <ul> - <li>return files to users that the security manager should make - inaccessible</li> - <li>terminate (via a crash) the JVM</li> - </ul> - Additionally, these vulnerabilities only occur when all of the following - are true: - <ul> - <li>untrusted web applications are being used</li> - <li>the SecurityManager is used to limit the untrusted web applications - </li> - <li>the HTTP NIO or HTTP APR connector is used</li> - <li>sendfile is enabled for the connector (this is the default)</li> - </ul> - </p> - - <p>This was fixed in revisions - <revlink rev="1145383">1145383</revlink>, - <revlink rev="1145489">1145489</revlink>, - <revlink rev="1145571">1145571</revlink>, - <revlink rev="1145694">1145694</revlink> and - <revlink rev="1146005">1146005</revlink>.</p> - - <p>This was identified by the Tomcat security team on 7 July 2011 and - made public on 13 July 2011.</p> - - <p>Affects: 7.0.0-7.0.18</p> - - <p><i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the - release votes for the 7.0.17 and 7.0.18 release candidates did not pass. - Therefore, although users must download 7.0.19 to obtain a version that - includes a fix for these issues, versions 7.0.17 and 7.0.18 are not - included in the list of affected versions.</i></p> - - <p><strong>Low: Information disclosure</strong> - <cve>CVE-2011-2204</cve></p> - - <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and - creating users via JMX, an exception during the user creation process may - trigger an error message in the JMX client that includes the user's - password. This error message is also written to the Tomcat logs. User - passwords are visible to administrators with JMX access and/or - administrators with read access to the tomcat-users.xml file. Users that - do not have these permissions but are able to read log files may be able - to discover a user's password.</p> - - <p>This was fixed in <revlink rev="1140070">revision 1140070</revlink>.</p> - - <p>This was identified by Polina Genova on 14 June 2011 and - made public on 27 June 2011.</p> - - <p>Affects: 7.0.0-7.0.16</p> - - <p><strong>Low: Information disclosure</strong> - <cve>CVE-2011-2481</cve></p> - - <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the - vulnerability previously reported as <cve>CVE-2009-0783</cve>. - This was initially - <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395"> - reported</a> as a memory leak. If a web application is the first web - application loaded, this bugs allows that web application to potentially - view and/or alter the web.xml, context.xml and tld files of other web - applications deployed on the Tomcat instance.</p> - - <p>This was first fixed in - <revlink rev="1137753">revision 1137753</revlink>, - but reverted in <revlink rev="1138776">revision 1138776</revlink> and - finally fixed in <revlink rev="1138788">revision 1138788</revlink>.</p> - - <p>This was identified by the Tomcat security team on 20 June 2011 and - made public on 12 August 2011.</p> - - <p>Affects: 7.0.0-7.0.16</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.14" rtext="released 12 May 2011"> - - <p><strong>Important: Security constraint bypass</strong> - <cve>CVE-2011-1582</cve></p> - - <p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security - constraints configured via annotations were ignored on the first request - to a Servlet. Subsequent requests were secured correctly.</p> - - <p>This was fixed in <revlink rev="1100832">revision 1100832</revlink>.</p> - - <p>This was identified by the Tomcat security team on 13 April 2011 and - made public on 17 May 2011.</p> - - <p>Affects: 7.0.12-7.0.13</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.12" rtext="released 6 Apr 2011"> - - <p><strong>Important: Information disclosure</strong> - <cve>CVE-2011-1475</cve></p> - - <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0 - asynchronous requests did not fully account for HTTP pipelining. As a - result, when using HTTP pipelining a range of unexpected behaviours - occurred including the mixing up of responses between requests. While - the mix-up in responses was only observed between requests from the same - user, a mix-up of responses for requests from different users may also be - possible.</p> - - <p>This was fixed in revisions <revlink rev="1086349">1086349</revlink> and - <revlink rev="1086352">1086352</revlink>. - (Note: HTTP pipelined requests are still likely to fail with the - HTTP BIO connector but will do so in a secure manner.)</p> - - <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar - 2011.</p> - - <p>Affects: 7.0.0-7.0.11</p> - - <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" - rel="nofollow">CVE-2011-1184</a></p> - - <p>Note: Mitre elected to break this issue down into multiple issues and - have allocated the following additional references to parts of this - issue: - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5062" - rel="nofollow">CVE-2011-5062</a>, - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5063" - rel="nofollow">CVE-2011-5063</a> and - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5064" - rel="nofollow">CVE-2011-5064</a>. The Apache Tomcat security team will - continue to treat this as a single issue using the reference - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" - rel="nofollow">CVE-2011-1184</a>.</p> - - <p>The implementation of HTTP DIGEST authentication was discovered to have - several weaknesses: - <ul> - <li>replay attacks were permitted</li> - <li>server nonces were not checked</li> - <li>client nonce counts were not checked</li> - <li>qop values were not checked</li> - <li>realm values were not checked</li> - <li>the server secret was hard-coded to a known string</li> - </ul> - The result of these weaknesses is that DIGEST authentication was only as - secure as BASIC authentication. - </p> - - <p>This was fixed in <revlink rev="1087655">revision 1087655</revlink>.</p> - - <p>This was identified by the Tomcat security team on 16 March 2011 and - made public on 26 September 2011.</p> - - <p>Affects: 7.0.0-7.0.11</p> - - <p><strong>Important: Security constraint bypass</strong> - <cve>CVE-2011-1183</cve></p> - - <p>A regression in the fix for CVE-2011-1088 meant that security constraints - were ignored when no login configuration was present in the web.xml and - the web application was marked as meta-data complete.</p> - - <p>This was fixed in <revlink rev="1087643">revision 1087643</revlink>.</p> - - <p>This was identified by the Tomcat security team on 17 March 2011 and - made public on 6 April 2011.</p> - - <p>Affects: 7.0.11</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.11" rtext="released 11 Mar 2011"> - - <p><strong>Important: Security constraint bypass</strong> - <cve>CVE-2011-1088</cve></p> - - <p>When a web application was started, <code>ServletSecurity</code> - annotations were ignored. This meant that some areas of the application - may not have been protected as expected. This was partially fixed in - Apache Tomcat 7.0.10 and fully fixed in 7.0.11.</p> - - <p>This was fixed in revisions <revlink rev="1076586">1076586</revlink>, - <revlink rev="1076587">1076587</revlink>, - <revlink rev="1077995">1077995</revlink> and - <revlink rev="1079752">1079752</revlink>.</p> - - <p>This was reported publicly on the Tomcat users mailing list on 2 Mar - 2011.</p> - - <p>Affects: 7.0.0-7.0.10</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.8" rtext="released 5 Feb 2011"> - - <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.7 but the - release vote for the 7.0.7 release candidate did not pass. Therefore, - although users must download 7.0.8 to obtain a version that includes a - fix for this issue, version 7.0.7 is not included in the list of - affected versions.</i></p> - - <p><strong>Important: Remote Denial Of Service</strong> - <cve>CVE-2011-0534</cve></p> - - <p>The NIO connector expands its buffer endlessly during request line - processing. That behaviour can be used for a denial of service attack - using a carefully crafted request.</p> - - <p>This was fixed in <revlink rev="1065939">revision 1065939</revlink>.</p> - - <p>This was identified by the Tomcat security team on 27 Jan 2011 and - made public on 5 Feb 2011.</p> - - <p>Affects: 7.0.0-7.0.6</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.6" rtext="released 14 Jan 2011"> - - <p><strong>Low: Cross-site scripting</strong> - <cve>CVE-2011-0013</cve></p> - - <p>The HTML Manager interface displayed web application provided data, such - as display names, without filtering. A malicious web application could - trigger script execution by an administrative user when viewing the - manager pages.</p> - - <p>This was fixed in <revlink rev="1057279">revision 1057279</revlink>.</p> - - <p>This was identified by the Tomcat security team on 12 Nov 2010 and - made public on 5 Feb 2011.</p> - - <p>Affects: 7.0.0-7.0.5</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.5" rtext="released 1 Dec 2010"> - - <p><strong>Low: Cross-site scripting</strong> - <cve>CVE-2010-4172</cve></p> - - <p>The Manager application used the user provided parameters sort and - orderBy directly without filtering thereby permitting cross-site - scripting. The CSRF protection, which is enabled by default, prevents an - attacker from exploiting this.</p> - - <p>This was fixed in <revlink rev="1037778">revision 1037778</revlink>.</p> - - <p>This was first reported to the Tomcat security team on 15 Nov 2010 and - made public on 22 Nov 2010.</p> - - <p>Affects: 7.0.0-7.0.4</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.4" rtext="released 21 Oct 2010"> - - <p><strong>Low: SecurityManager file permission bypass</strong> - <cve>CVE-2010-3718</cve></p> - - <p>When running under a SecurityManager, access to the file system is - limited but web applications are granted read/write permissions to the - work directory. This directory is used for a variety of temporary files - such as the intermediate files generated when compiling JSPs to Servlets. - The location of the work directory is specified by a ServletContect - attribute that is meant to be read-only to web applications. However, - due to a coding error, the read-only setting was not applied. Therefore, - a malicious web application may modify the attribute before Tomcat - applies the file permissions. This can be used to grant read/write - permissions to any area on the file system which a malicious web - application may then take advantage of. This vulnerability is only - applicable when hosting web applications from untrusted sources such as - shared hosting environments.</p> - - <p>This was fixed in <revlink rev="1022134">revision 1022134</revlink>.</p> - - <p>This was discovered by the Tomcat security team on 12 Oct 2010 and - made public on 5 Feb 2011.</p> - - <p>Affects: 7.0.0-7.0.3</p> - - </section> - - <section name="Fixed in Apache Tomcat 7.0.2" rtext="released 11 Aug 2010"> - - <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the - release vote for the 7.0.1 release candidate did not pass. Therefore, - although users must download 7.0.2 to obtain a version that includes a - fix for this issue, version 7.0.2 is not included in the list of - affected versions.</i></p> - - <p><strong>Important: Remote Denial Of Service and Information Disclosure - Vulnerability</strong> - <cve>CVE-2010-2227</cve></p> - - <p>Several flaws in the handling of the 'Transfer-Encoding' header were - found that prevented the recycling of a buffer. A remote attacker could - trigger this flaw which would cause subsequent requests to fail and/or - information to leak between requests. This flaw is mitigated if Tomcat is - behind a reverse proxy (such as Apache httpd 2.2) as the proxy should - reject the invalid transfer encoding header.</p> - - <p>This was fixed in <revlink rev="958911">revision 958911</revlink>.</p> - - <p>This was first reported to the Tomcat security team on 14 Jun 2010 and - made public on 9 Jul 2010.</p> - - <p>Affects: 7.0.0</p> + <section name="Fixed in Apache Tomcat 8.0.0-RC1" rtext="released 1 August 2013"> + <p>No reports</p> + </section> <section name="Not a vulnerability in Tomcat"> - - <p><strong>Low: Denial Of Service</strong> - <cve>CVE-2012-5568</cve></p> - - <p>Sending an HTTP request 1 byte at a time will consume a thread from the - connection pool until the request has been fully processed if using the - BIO or APR/native HTTP connectors. Multiple requests may be used to - consume all threads in the connection pool thereby creating a denial of - service.</p> - - <p>Since the relationship between the client side resources and server side - resources is a linear one, this issue is not something that the Tomcat - Security Team views as a vulnerability. This is a generic DoS problem and - there is no magic solution. This issue has been discussed several times - on the Tomcat mailing lists. The best place to start to review these - discussions is the report for - <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug - 54236</a>.</p> - - <p>This was first discussed on the public Tomcat users mailing list on 19 - June 2009.</p> - - <p>Affects: 7.0.0-7.0.x</p> - - <p><strong>Important: Remote Denial Of Service</strong> - <cve>CVE-2010-4476</cve></p> - - <p>A JVM bug could cause Double conversion to hang JVM when accessing to a - form based security constrained page or any page that calls - javax.servlet.ServletRequest.getLocale() or - javax.servlet.ServletRequest.getLocales(). A specially crafted request - can be used to trigger a denial of service. - </p> - <p>A work-around for this JVM bug was provided in - <revlink rev="1066244">revision 1066244</revlink>.</p> - - <p>This was first reported to the Tomcat security team on 01 Feb 2011 and - made public on 31 Jan 2011.</p> - - <p>Affects: 7.0.0-7.0.6</p> - - <p><strong>Moderate: TLS SSL Man In The Middle</strong> - <cve>CVE-2009-3555</cve></p> - - <p>A vulnerability exists in the TLS protocol that allows an attacker to - inject arbitrary requests into an TLS stream during renegotiation.</p> - - <p>The TLS implementation used by Tomcat varies with connector. The blocking - IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation - provided by the JVM. The APR/native connector uses OpenSSL.</p> - - <p>The BIO connector is vulnerable if the JSSE version used is vulnerable. - To workaround a vulnerable version of JSSE, use the connector attribute - <code>allowUnsafeLegacyRenegotiation</code>. It should be set to - <code>false</code> (the default) to protect against this vulnerability. - </p> - - <p>The NIO connector prior to 7.0.10 is not vulnerable as it does not - support renegotiation.</p> - - <p>The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE - version used is vulnerable. To workaround a vulnerable version of JSSE, - use the connector attribute <code>allowUnsafeLegacyRenegotiation</code>. - It should be set to <code>false</code> (the default) to protect against - this vulnerability.</p> - - <p>The APR/native workarounds are detailed on the - <a href="security-native.html">APR/native connector security page</a>. - </p> - - <p>Users should be aware that the impact of disabling renegotiation will - vary with both application and client. In some circumstances disabling - renegotiation may result in some clients being unable to access the - application.</p> - - <p>This was worked-around in - <revlink rev="882320">revision 891292</revlink>.</p> - - <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not - have this security issue:</p> - - <ul> - <li>For connectors using JSSE implementation provided by JVM: - Added in Tomcat 7.0.8.<br /> - Requires JRE that supports RFC 5746. For Oracle JRE that is - <a rel="nofollow" - href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a> - to be 6u22 or later. - </li> - <li>For connectors using APR and OpenSSL:<br /> - TBD. See - <a href="security-native.html">APR/native connector security page</a>. - </li> - </ul> + <p>No reports</p> </section> Modified: tomcat/site/trunk/xdocs/security.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=1510686&r1=1510685&r2=1510686&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security.xml (original) +++ tomcat/site/trunk/xdocs/security.xml Mon Aug 5 19:45:45 2013 @@ -25,6 +25,8 @@ <p>Lists of security problems fixed in released versions of Apache Tomcat are available:</p> <ul> + <li><a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities + </a></li> <li><a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities </a></li> <li><a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org