#239312: Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10

Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10

Category :	Security
Release Phase :	Resolved
Bug Id :	6575001
Product :	Solaris 9 Operating System Solaris 10 Operating System
Date of Workaround Release :	30-Jun-2008
Date of Resolved Release :	04-Sep-2008

Security Vulnerabilities in Tomcat 4.0  (see below)

1. Impact

There are several vulnerabilities in the Tomcat JSP/Servlet container
which affect Tomcat 4.0 bundled in Solaris 10 and Solaris 9.

These issues may allow a remote or local unprivileged user to cause
a denial of service (DoS), inject arbitrary web script or HTML via
Cross-Site Scripting (XSS) attempts, read arbitrary files and
source code from the server, or obtain the installation path and
other sensitive information.

Additional information regarding these issues is available at:

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 9 without patches 114016-02 and 113146-11

```
Solaris 10 without patch 122911-12
```

x86 Platform

Solaris 9 without patches 114017-02 and 114145-10

```
Solaris 10 without patch 122912-12 
```

A system is only vulnerable to the described issues if Tomcat 4.0
has been configured and is running on the system.

The following command can be executed to determine if the Tomcat 4.0
JSP/Servlet container is currently running on the system:

    $ /usr/bin/ps -ef | grep "usr/apache/tomcat/bin"
      nobody 11157     1   1 09:18:13 pts/1       0:09 /usr/java/bin/java -Djava.endorsed.dirs=/usr/apache/tomcat/bin:/usr/apache/tomc


Note: Solaris 8 does not include support for Tomcat and so it
is not impacted by these issues.

3. Symptoms

There are no predictable symptoms that would indicate the described
issues have been exploited on a system.

4. Workaround

There is no workaround. Please see Resolution section below.

5. Resolution

These issues are addressed in the following releases:

SPARC Platform

Solaris 9 with patches 114016-02 and 113146-11 or later

Solaris 10 with patch 122911-12 or later

x86 Platform

Solaris 9 with patches 114017-02 and 114145-10 or later

Solaris 10 with patch 122912-12 or later

Note 1:
The above patches will install Tomcat 5.5 alongside the version
which was originally shipped, version 4.0. After installation,
existing applications should be migrated to the new version and the
old version should be decomissioned, in order to fully resolve
these issues.

Note 2:

Tomcat 5.5 is installed via patch in following paths
/usr/apache/tomcat55 and /var/apache/tomcat55 (where original version
4.0 remains in /usr/apache/tomcat and /var/apache/tomcat).

Note 3:

Tomcat 5.5 is started when the Apache 1.3 Web Server is started,
if the Tomcat 5.5 configuration file
/var/apache/tomcat55/conf/server.xml exists and the Apache 1.3 Web
Server configuration file /etc/apache/httpd.conf includes
/etc/apache/tomcat.conf (this file enables Apache Web Server Tomcat
connector).

The existing Tomcat 4.0 is still started, as previously, together
with Apache 1.3 Web Server if the Tomcat 4.0 configuration file
/var/apache/tomcat/conf/server.xml exists and the Apache 1.3 Web
Server configuration file /etc/apache/httpd.conf includes
/etc/apache/tomcat.conf. However, it will now only start if there
is no configuration file for Tomcat 5.5 located at
/var/apache/tomcat55/conf/server.xml.

Note 4:

When using Tomcat 4.0 with Apache 1.3 Web Server Tomcat connector
mod_webapp.so you will need also to migrate to mod_jk.so (by
modifying the /etc/apache/tomcat.conf file, which will have been
updated during patch install and which contains some limited
documentation in the comments).

Note 5:

Some of the vulnerabilities mentioned may require some amount of
reconfiguration or other mitigation in order to fully avoid
exposure. See the advisory published by the Apache organization
for further details about each vulnerability:

http://tomcat.apache.org/security-4.html

For more information on Security Sun Alerts, see Technical Instruction ID 213557

http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History

04-Sep-2008: Updated Contributing Factors and Resolution sections. Resolved.

Attachments

This solution has no attachment