Security Vulnerabilities in Solaris Bundled Tomcat .. (see below)

1. Impact

There are five security vulnerabilities in the Tomcat JSP/Servlet container that
affect Tomcat 5.5 bundled in Solaris 9 and Solaris 10 and Tomcat 6 bundled in OpenSolaris.

The first vulnerability, Directory Traversal issue (CVE-2008-5515), may allow a remote
unprivileged user who provides a specially crafted request to a servlet which is using a
RequestDispatcher object to bypass access control and gain access to unauthorized data.

The second security vulnerability is Denial of Service (CVE-2009-0033). A remote
unprivileged user who provides specially crafted requests to Tomcat via the
AJP (Apache JServ Protocol) connector when it's being used with Apache mod_jk load
balancing, may cause Denial of Service (DoS) to this Tomcat service.

The third vulnerability, bypassing access control (CVE-2009-0580), may allow a remote
unprivileged user who provides a specially crafted URL to bypass access control and
gain access to unauthorized data when FORM based authentication is used with
the MemoryRealm, the DataSourceRealm or JDBCRealm.

The fourth vulnerability, Cross Site Scripting (CVE-2009-0781), may allow a remote
unprivileged user who provides a specially crafted HTTP request to the Tomcat example
JSP application Calendar to inject arbitrary web script and thus gain access to unauthorized data.

The fifth vulnerability, bypassing access control (CVE-2009-0783), may allow a user who
has been granted permission to provide web applications which are served by the Tomcat
instance, to view and modify content of other installed web applications by providing a crafted application.

Additional information regarding these issues is available at:

• Apache Tomcat 5.x vulnerabilities: http://tomcat.apache.org/security-5.html
• Apache Tomcat 6.x vulnerabilities: http://tomcat.apache.org/security-6.html
• CVE-2008-5515 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
• CVE-2009-0033 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
• CVE-2009-0580 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
• CVE-2009-0781 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
• CVE-2009-0783 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
  

2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

• Solaris 9 without patch 114016-05
• Solaris 10 without patch 122911-17
• OpenSolaris based upon builds snv_01 through snv_117

x86 Platform

• Solaris 9 without patch 114017-05
• Solaris 10 without patch 122912-17
• OpenSolaris based upon builds snv_01 through snv_117
  

Note 1: OpenSolaris distributions may include additional bug fixes above
and beyond the build from which it was derived. To determine the base
build of OpenSolaris, the following command can be used:

    $ uname -v
     snv_111

Note 2: A system is only vulnerable to these issues if Tomcat has been
configured and is running on the system.

To determine if Tomcat 5.5 is installed on Solaris 10 or Solaris 9, a
command such as the following can be used:

    $ pkginfo SUNWtcatr
    system      SUNWtcatr      Tomcat Servlet/JSP Container (root)

Tomcat 5.5 can be configured to start in various different ways. For
assistance in determining if Tomcat is configured to run on the system,
consult the documentation which is usually available in the
"/var/apache/tomcat/webapps/tomcat-docs" directory.

To determine if Tomcat 6 is running on OpenSolaris, a command such as
the following can be used:

	$ svcs tomcat6
	STATE          STIME    FMRI
	online         Jun_23   svc:/network/http:tomcat6

Note 3: A system is only vulnerable to the first issue (CVE-2008-5515),
when servlet containers are making use of a RequestDispatcher object.
To determine if such a servlet is installed, search the directory where the
web applications are installed for the use of this object.

For Tomcat 5.5 on Solaris 10 and Solaris 9 a command such as the following can be used:

	$ find /var/apache/tomcat55/webapps -exec grep RequestDispatcher {} \; -print 
	getServletConfig().getServletContext().getRequestDispatcher("/jsptoserv/hello.jsp").forward(request, response);
	/var/apache/tomcat55/webapps/jsp-examples/WEB-INF/classes/servletToJsp.java

For Tomcat 6 on OpenSolaris a command such as the following can be used::

	$ find /var/tomcat6/webapps -exec grep RequestDispatcher {} \; -print
	getServletConfig().getServletContext().getRequestDispatcher("/jsp/jsptoserv/hello.jsp").forward(request, response);
	/var/tomcat6/webapps/examples/WEB-INF/classes/servletToJsp.java

Note 4: A system is only vulnerable to the second issue (CVE-2009-0033)
when Apache web server mod_jk load balancing is used. To determine if
the mod_jk load balancing is used, a command such as the following can
be run to search Jk worker file (JkWorkersFile is defined in the Apache
web server configuration files) for balance_workers property.

	$ grep balance_workers /etc/apache/workers.properties 
	worker.balancer.balance_workers=farm1,farm2

Note 5: Solaris 10 and 9 users of Tomcat 4.0 might be also vulnerable to these issues
and they should read Sun Alert ID 239312.

Note 6: Solaris 8 does not include support for Tomcat and so it is not impacted by these issues.

3. Symptoms

There are no predictable symptoms that would indicate that these issues have been exploited.

4. Workaround

There is no workaround for these issues please see Resolution below.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 9 with patch 114016-05 or later
• Solaris 10 with patch 122911-17 or later
  
• OpenSolaris based upon builds snv_118 or later
  

x86 Platform

• Solaris 9 with patch 114017-05 or later
• Solaris 10 with patch 122912-17 or later
  
• OpenSolaris based upon builds snv_118 or later
  

For more information on Security Sun Alerts, see Technical Instruction ID 213557
http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

14-Jul-2009: Added Date of Preliminary Release.
09-Oct-2009: Updated Contributing Factors and Resolution sections. Now Resolved.

This solution has no attachment