[arch-security] [ASA-201706-6] tomcat7: access restriction bypass
Remi Gacogne
rgacogne at archlinux.org
Tue Jun 6 12:27:41 UTC 2017
Arch Linux Security Advisory ASA-201706-6
=========================================
Severity: High
Date : 2017-06-06
CVE-ID : CVE-2017-5664
Package : tomcat7
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-290
Summary
=======
The package tomcat7 before version 7.0.78-1 is vulnerable to access
restriction bypass.
Resolution
==========
Upgrade to 7.0.78-1.
# pacman -Syu "tomcat7>=7.0.78-1"
The problem has been fixed upstream in version 7.0.78.
Workaround
==========
None.
Description
===========
A security issue has been found in Apache Tomcat < 7.0.18 and < 8.0.44.
The error page mechanism of the Java Servlet Specification requires
that, when an error occurs and an error page is configured for the
error that occurred, the original request and response are forwarded to
the error page. This means that the request is presented to the error
page with the original HTTP method. If the error page is a static file,
expected behaviour is to serve the content of the file as if processing
a GET request, regardless of the actual HTTP method. Tomcat's Default
Servlet did not do this. Depending on the original request this could
lead to unexpected and undesirable results for static error pages
including, if the DefaultServlet is configured to permit writes, the
replacement or removal of the custom error page.
Impact
======
A remote attacker can alter, replace or remove the custom error page of
an affected server by sending an HTTP request with a specific method.
References
==========
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491
https://security.archlinux.org/CVE-2017-5664
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170606/b45f9dd8/attachment.asc>
More information about the arch-security
mailing list