Bug 1042910 (CVE-2017-5664)

Summary: VUL-0: CVE-2017-5664: tomcat,tomcat6: Security constrained bypass in error page mechanism
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: astieger, ecsos, jsegitz, malbu, mantel, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/186305/
Whiteboard: CVSSv2:SUSE:CVE-2017-5664:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv3:SUSE:CVE-2017-5664:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2017-06-06 13:43:55 UTC
rh#1459158

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.

If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTT method. Tomcat's Default Servlet did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.

Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1793471
https://svn.apache.org/viewvc?view=revision&revision=1793491

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1793470
https://svn.apache.org/viewvc?view=revision&revision=1793489

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1793469
https://svn.apache.org/viewvc?view=revision&revision=1793488

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5664
Comment 1 Andreas Stieger 2017-06-19 09:54:42 UTC
Eric, in your submission to Java:packages/tomcat:
https://build.opensuse.org/request/show/504598
Can you please reference this bug?
Comment 2 Eric Schirra 2017-06-19 17:06:05 UTC
(In reply to Andreas Stieger from comment #1)
> Eric, in your submission to Java:packages/tomcat:
> https://build.opensuse.org/request/show/504598
> Can you please reference this bug?

Okay.
I have done it.
Comment 3 Marcus Meissner 2017-07-05 09:59:10 UTC
seems also in tomcat6.
Comment 4 Marcus Meissner 2017-07-05 10:02:42 UTC
tomcat5 has the file and _might_ have the problem, but it looks a bit different in the default servlet
Comment 8 Marcus Meissner 2017-11-09 13:29:28 UTC
(back to bo... we need a bit cross check if tomcat6 and tomcat5 are affected)
Comment 10 Swamp Workflow Management 2017-11-22 14:08:20 UTC
SUSE-SU-2017:3039-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1019016,1042910,1053352,1059554,977410
CVE References: CVE-2017-12617,CVE-2017-5664,CVE-2017-7674
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tomcat-8.0.43-29.5.1
SUSE Linux Enterprise Server 12-SP3 (src):    tomcat-8.0.43-29.5.1
SUSE Linux Enterprise Server 12-SP2 (src):    tomcat-8.0.43-29.5.1
Comment 11 Swamp Workflow Management 2017-11-23 20:09:31 UTC
SUSE-SU-2017:3059-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1042910,1053352,1059551,1059554,977410
CVE References: CVE-2017-12615,CVE-2017-12616,CVE-2017-12617,CVE-2017-5664,CVE-2017-7674
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    tomcat-7.0.82-7.16.1
Comment 12 Swamp Workflow Management 2017-11-23 23:10:08 UTC
openSUSE-SU-2017:3069-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1019016,1042910,1053352,1059554,977410
CVE References: CVE-2017-12617,CVE-2017-5664,CVE-2017-7674
Sources used:
openSUSE Leap 42.3 (src):    tomcat-8.0.43-9.1
openSUSE Leap 42.2 (src):    tomcat-8.0.43-6.13.1
Comment 13 Swamp Workflow Management 2017-12-13 20:10:45 UTC
SUSE-SU-2017:3279-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1002639,1019016,1042910,1053352,1059554,977410
CVE References: CVE-2017-12617,CVE-2017-5664,CVE-2017-7674
Sources used:
SUSE OpenStack Cloud 6 (src):    tomcat-8.0.43-10.24.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    tomcat-8.0.43-10.24.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    tomcat-8.0.43-10.24.1
Comment 15 Marcus Meissner 2018-01-31 11:56:10 UTC
I think we got all.
Comment 20 Swamp Workflow Management 2018-06-29 13:30:38 UTC
SUSE-SU-2018:1847-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1042910,1082480
CVE References: CVE-2017-5664,CVE-2018-1304
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    tomcat6-6.0.53-0.57.7.1
Comment 23 Marcus Meissner 2018-10-12 15:15:23 UTC
released