Bug: Apache Tomcat's default security policy is too open ( Ascii Version )

Search:
WLB2

Apache Tomcat's default security policy is too open

Published
Credit
Risk
2007.12.28
Delian Krustev
Low
CWE
CVE
Local
Remote
CWE-264
CVE-2007-5342
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2007-5342: Tomcat's default security policy is too open

Severity:
Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.9 to 5.5.25
Tomcat 6.0.0 to 6.0.15

Description:
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict this
configuration and allows an untrusted web application to add files or
overwrite existing files where the Tomcat process has the necessary file
permissions to do so.

Mitigation:
Apply the following patch to the catalina.policy file
http://svn.apache.org/viewvc?rev=606594&view=rev
The patch will be included in 5.5.25 onwards and 6.0.16 onwards
This patch is also included at the end of this announcement

Example:
An application could have its own WEB-INF/classes/logging.properties

handlers = org.apache.juli.FileHandler
org.apache.juli.FileHandler.level = FINE
org.apache.juli.FileHandler.directory = ${catalina.base}/logs
org.apache.juli.FileHandler.prefix = mylog.

Credit:
This issue was discovered by Delian Krustev.

References:
http://tomcat.apache.org/security.html

Mark Thomas

*** Patch starts below this line ***
Index: catalina.policy
===================================================================
- --- catalina.policy (revision 606588)
+++ catalina.policy (working copy)
@@ -62,7 +62,19 @@

// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- - permission java.security.AllPermission;
+ permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.propertie
s", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.util.logging.LoggingPermission "control";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*",
"read, write";
+ permission java.lang.RuntimePermission "getClassLoader";
+ // To enable per context logging configuration, permit read access to the appropriate file.
+ // Be sure that the logging configuration is secure before enabling such access
+ // eg for the examples web application:
+ // permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}examples${file
.separator}WEB-INF${file.separator}classes${file.separator}logging.prope
rties", "read";
};

// These permissions apply to the server startup code

*** Patch ends above this line ***

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHbrZQb7IeiTPGAkMRAhg1AJ4ydvIa2WIuHN8x3TKGD01xReatbgCfTtj2
8TzsMaXSUzeuEvnOuY5fmCo=
=N5J9
-----END PGP SIGNATURE-----

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version