Apache Tomcat 6.0.20 and 5.5.28 unexpected file deletion in work directory

2010.01.29

Credit: Mark Thomas

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2009-2902

CWE: CWE-2000

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also
affected.
Description:
When deploying WAR files, the WAR file names were not checked for
directory traversal attempts. This allows an attacker to cause the
deletion of the current contents of the host's work directory which may
cause problems for currently running applications.
Mitigation:
6.0.x users should upgrade to 6.0.24 or apply this patch:
http://svn.apache.org/viewvc?rev=892815&view=rev
5.5.x users should upgrade to 5.5.29 when released or apply this patch:
http://svn.apache.org/viewvc?rev=902650&view=rev
Note: the patches also address CVE-2009-2693 and CVE-2009-2901.
Alternatively, users of all Tomcat versions may mitigate this issue by
manually validating the contents of untrusted WAR files before deployment.
Example:
Deploying and undeploying a WAR named "...war" causes the all files and
subdirectories in "work/<engine name>/<host name>" to be removed.
Credit:
This issue was discovered by the Apache Tomcat security team
References:
[1] http://tomcat.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJLXMGKAAoJEBDAHFovYFnnU3sP/2qKA+k8nmXoowqeUKfgTZyg
EJAtLvuTHFViDFeA7tDrh18pMzWUfPCu/sU8qXaiY71Dw6Fa8zcJ1SksP/WB4jmN
UDuSj9vm5INxjbANnniSpZ5+tfLukPz9I3vFIIpmT4xO2aGnbqTUWPmVb2Oitapp
ePH35D0OldLIL8O4TmdTK5LPw/qufbvEtegTlryJeyO9kWvqmK54W2cs60i+txiD
zwzoRJgmNd7e/DS8+jrGrSFgLiFQlEQraQ99OvvU9bi7DofEUA1HuxPV94Ck8oMc
xbcNlAgSMuqc0PuIff68rXP3M/4M96j/BFRRLsAqUPfXBZQBZ6vc/uOVG2JriIQU
psksw1zTf8pbUTtuY6EUry3SspTHWcMGJfoxtrXa0nVxGnTg5XI/joipbCbbcF6p
0npKt3IIEH6JYtZ2DbSO0w6QjFnCVV5v0mB1LrMQDy0SzfcYf6G0MnmD6hLYNsdz
83TRgicGCfcSqZdiZDJ2Kngwnjl/oHYx2A1SVOc4q0NoIlFnzF9qMqiLM5hM87LT
3FaFsDmeFwhUxo4JRGAFA+ft1UrYufCvCQy+ZW6fxPIW2Qz9aEq63MDVojdd2yf7
Z9JApNAiO6q1cJukOaworJiv1cbcZHp0SaWDJQIo4VFT2APD2DFU79vCseIusX4e
jcy9btzWclss+2hAA/XQ
=kJa8
-----END PGP SIGNATURE-----

References:

http://xforce.iss.net/xforce/xfdb/55857

http://www.vupen.com/english/advisories/2010/0213

http://www.securityfocus.com/bid/37945

http://www.securityfocus.com/archive/1/archive/1/509150/100/0/threaded

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-5.html

http://svn.apache.org/viewvc?rev=902650&view=rev

http://svn.apache.org/viewvc?rev=892815&view=rev

http://securitytracker.com/id?1023504

http://secunia.com/advisories/38346

http://secunia.com/advisories/38316

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Apache Tomcat 6.0.20 and 5.5.28 unexpected file deletion in work directory

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.