ID

VAR-200810-0184

CVE

CVE-2008-3271

TITLE

Apache Tomcat allows access from a non-permitted IP address

DESCRIPTION

Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context. This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue. Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result. Apache Tomcat is prone to a security-bypass vulnerability related to extensions of 'RemoteFilterValve'. Attackers may be able to bypass certain access restrictions. The following versions are vulnerable: Tomcat 4.1.0 through 4.1.32 Tomcat 5.5.0. TITLE: Apache Tomcat Directory Listing Denial of Service SECUNIA ADVISORY ID: SA17416 VERIFY ADVISORY: http://secunia.com/advisories/17416/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Apache Tomcat 5.x http://secunia.com/product/3571/ DESCRIPTION: David Maciejak has discovered a vulnerability in Apache Tomcat, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the inefficient generation of directory listing for web directories that has a large number of files. By sending multiple concurrent requests for such a directory, it is possible to prevent other users from accessing the directory and causes the server to consume a large amount of CPU resources. The vulnerability affects only the directory that is being listed. Files or applications in other web directories are not affected. Successful exploitation requires that directory listing is enabled in a directory with a large number of files. The vulnerability has been confirmed in Tomcat version 5.5.11 and 5.5.12 on the Windows platform, and has been reported in versions 5.5.0 through 5.5.11. Other versions may also be affected. Note: In version 5.5.12, the server will resume normal operation after a few minutes. SOLUTION: The vulnerability has been partially addressed in version 5.5.12, which will resume normal operation after a few minutes. Disable directory listing for web directories that has a large number of files. PROVIDED AND/OR DISCOVERED BY: David Maciejak ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Mitigation: Upgrade to: 4.1.32 or later 5.5.1 or later 6.0.0 or later Example: This has only been reproduced using a debugger to force a particular processing sequence across two threads. 1. Set a breakpoint right after the place where a value is to be entered in the instance variable of regexp (search:org.apache.regexp.CharacterIterator). 2. Send a request from the IP address* which is not permitted. (stopped at the breakpoint) *About the IP address which is not permitted. The character strings length of the IP address which is set in RemoteAddrValve must be same. 3. Send a request from the IP address which was set in RemoteAddrValve. (stopped at the breakpoint) In this way, the instance variable is to be overwritten here. 4. Resume the thread which is processing the step 2 above. 5. The request from the not permitted IP address will succeed. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj =9Z/F -----END PGP SIGNATURE----- . Apache Tomcat 5.x: Update to version 5.5.1 or later. SOLUTION: Patches are scheduled for release. Use a proxy or firewall to protect resources. Version 5.5.x is intented for servlet/jsp specification 2.4/2.0. More information on http://tomcat.apache.org/ Description: Many time consuming directory listing requests can cause a denial of service. Detection/PoC: On Linux: Vulnerable version tested are 5.5.0 to 5.5.11. 5.5.12 and 5.0.28 seems not to be impacted. A easy way to test : -Download Tomcat package from Tomcat archive -Unpack it, use default configuration -In webapps example dir, add some empty files (enough for the dir listing request to be long) -Thread many listing access on this directory Workaround: Upgrade to linux version 5.5.12 PS: Secunia team have done more test available on http://secunia.com/advisories/17416/ David Maciejak -------------------------------------------------------------------------------- KYXAR.FR - Mail envoy\xe9 depuis http://webmail.kyxar.fr . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: NEC WebOTX Products "RemoteFilterValve" Security Bypass Security Issue SECUNIA ADVISORY ID: SA35684 VERIFY ADVISORY: http://secunia.com/advisories/35684/ DESCRIPTION: A security issue has been reported in various NEC WebOTX products, which potentially can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to a synchronisation problem when checking IP addresses and can be exploited to bypass a filter valve that extends "RemoteFilterValve" and potentially gain access to protected contexts. The security issue is reported in the following products and versions: * WebOTX Web Edition version 4.x through 5.x * WebOTX Standard-J Edition version 4.x through 5.x * WebOTX Standard Edition version 4.x through 5.x * WebOTX Enterprise Edition version 4.x through 5.x * WebOTX UDDI Registry version 1.1 through 2.1 SOLUTION: Reportedly, patches are available. Contact the vendor's sales department for more information. For more information: SA32213 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

permissions and access control issues

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Kenichi Tsukamoto

SOURCES

LAST UPDATE DATE

2024-08-14T12:57:31.635000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE