Arch Linux Security Advisory ASA-201706-7

Severity: High
Date : 2017-06-06
CVE-ID : CVE-2017-5664
Package : tomcat8
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-291

Summary

The package tomcat8 before version 8.0.44-1 is vulnerable to access
restriction bypass.

Resolution

Upgrade to 8.0.44-1.

pacman -Syu “tomcat8>=8.0.44-1”

The problem has been fixed upstream in version 8.0.44.

Workaround

None.

Description

A security issue has been found in Apache Tomcat < 7.0.18 and < 8.0.44.
The error page mechanism of the Java Servlet Specification requires
that, when an error occurs and an error page is configured for the
error that occurred, the original request and response are forwarded to
the error page. This means that the request is presented to the error
page with the original HTTP method. If the error page is a static file,
expected behaviour is to serve the content of the file as if processing
a GET request, regardless of the actual HTTP method. Tomcat’s Default
Servlet did not do this. Depending on the original request this could
lead to unexpected and undesirable results for static error pages
including, if the DefaultServlet is configured to permit writes, the
replacement or removal of the custom error page.

Impact

A remote attacker can alter, replace or remove the custom error page of
an affected server by sending an HTTP request with a specific method.

References

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491
https://security.archlinux.org/CVE-2017-5664