Lucene search

K
archlinuxArchLinuxASA-201706-7
HistoryJun 06, 2017 - 12:00 a.m.

[ASA-201706-7] tomcat8: access restriction bypass

2017-06-0600:00:00
security.archlinux.org
20

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.009

Percentile

82.7%

Arch Linux Security Advisory ASA-201706-7

Severity: High
Date : 2017-06-06
CVE-ID : CVE-2017-5664
Package : tomcat8
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-291

Summary

The package tomcat8 before version 8.0.44-1 is vulnerable to access
restriction bypass.

Resolution

Upgrade to 8.0.44-1.

pacman -Syu “tomcat8>=8.0.44-1”

The problem has been fixed upstream in version 8.0.44.

Workaround

None.

Description

A security issue has been found in Apache Tomcat < 7.0.18 and < 8.0.44.
The error page mechanism of the Java Servlet Specification requires
that, when an error occurs and an error page is configured for the
error that occurred, the original request and response are forwarded to
the error page. This means that the request is presented to the error
page with the original HTTP method. If the error page is a static file,
expected behaviour is to serve the content of the file as if processing
a GET request, regardless of the actual HTTP method. Tomcat’s Default
Servlet did not do this. Depending on the original request this could
lead to unexpected and undesirable results for static error pages
including, if the DefaultServlet is configured to permit writes, the
replacement or removal of the custom error page.

Impact

A remote attacker can alter, replace or remove the custom error page of
an affected server by sending an HTTP request with a specific method.

References

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491
https://security.archlinux.org/CVE-2017-5664

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanytomcat8< 8.0.44-1UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.009

Percentile

82.7%