The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: directory traversal of ServletContext

Synthesis of the vulnerability 

An attacker, who is allowed to upload a malicious web application on the service, can traverse directories in ServletContext of Apache Tomcat, in order to read the content of a directory outside the service root path.
Impacted products: Tomcat, Debian, BIG-IP Hardware, TMOS, HP-UX, QRadar SIEM, Tivoli Directory Server, Junos Space, Snap Creator Framework, openSUSE Leap, Oracle Communications, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this bulletin: 2/4.
Creation date: 22/02/2016.
Références of this threat: 1980693, 1981632, 1983989, bulletinjan2016, c05054964, c05150442, cpujul2018, CVE-2015-5174, DSA-3530-1, DSA-3552-1, DSA-3609-1, HPSBUX03561, HPSBUX03606, JSA10838, K30971148, NTAP-20180531-0001, openSUSE-SU-2016:0865-1, RHSA-2016:1432-01, RHSA-2016:1433-01, RHSA-2016:1434-01, RHSA-2016:1435-01, RHSA-2016:2045-01, RHSA-2016:2599-02, SOL30971148, SUSE-SU-2016:0769-1, SUSE-SU-2016:0822-1, SUSE-SU-2016:0839-1, USN-3024-1, VIGILANCE-VUL-18993.

Description of the vulnerability 

The Apache Tomcat product can execute a web application from an untrusted source with a Security Manager.

However, the getResource(), getResourceAsStream() and getResourcePaths() methods of ServletContext insert user's data directly in an access path. Sequences such as "/.." can thus be used by the web application to go in the upper directory.

An attacker, who is allowed to upload a malicious web application on the service, can therefore traverse directories in ServletContext of Apache Tomcat, in order to read the content of a directory outside the service root path.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat impacts software or systems such as Tomcat, Debian, BIG-IP Hardware, TMOS, HP-UX, QRadar SIEM, Tivoli Directory Server, Junos Space, Snap Creator Framework, openSUSE Leap, Oracle Communications, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer threat is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity bulletin.

Solutions for this threat 

Apache Tomcat: version 8.0.27.
The version 8.0.27 is fixed:
  http://tomcat.apache.org/download-80.cgi

Apache Tomcat: version 7.0.65.
The version 7.0.65 is fixed:
  http://tomcat.apache.org/download-70.cgi

Apache Tomcat: version 6.0.45.
The version 6.0.45 is fixed:
  http://tomcat.apache.org/download-60.cgi

Debian: new tomcat6 packages.
New packages are available:
  Debian 7: tomcat6 6.0.45+dfsg-1~deb7u1

Debian: new tomcat7 packages.
New packages are available:
  Debian 7: tomcat7 7.0.28-4+deb7u4
  Debian 8: tomcat7 7.0.56-3+deb8u2

Debian: new tomcat8 packages.
New packages are available:
  Debian 8: tomcat8 8.0.14-1+deb8u2

F5 BIG-IP: solution for Tomcat 6.
The solution is indicated in information sources.

HP-UX: Tomcat version 6.0.45.01.
Tomcat version 6.0.45.01 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW407

HP-UX: version D.7.0.68.01.
The version D.7.0.68.01 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWST706801

IBM QRadar SIEM: patch for Tomcat.
A patch is indicated in information sources.

IBM Rational Directory Server: patch for Tomcat.
A patch is indicated in information sources.

IBM TADDM: patch for Tomcat.
A patch is indicated in information sources.

Junos Space: fixed versions.
Fixed versions are indicated in information sources.

NetApp Snap Creator Framework: patch for Tomcat.
A patch is available:
  https://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3P1/

openSUSE Leap 42.1: new tomcat packages.
New packages are available:
  openSUSE Leap 42.1: tomcat 8.0.32-5.1

Oracle Communications: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2410237.1
  https://support.oracle.com/rs?type=doc&id=2406191.1
  https://support.oracle.com/rs?type=doc&id=2410234.1
  https://support.oracle.com/rs?type=doc&id=2408211.1
  https://support.oracle.com/rs?type=doc&id=2406689.1
  https://support.oracle.com/rs?type=doc&id=2408212.1
  https://support.oracle.com/rs?type=doc&id=2410243.1
  https://support.oracle.com/rs?type=doc&id=2410198.1

Red Hat JBoss EAP: version 6.4.9.
The version 6.4.9 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4

RHEL 6.8: new tomcat6 packages.
New packages are available:
  RHEL 6: tomcat6 6.0.24-98.el6_8

RHEL 7: new tomcat packages.
New packages are available:
  RHEL 7: tomcat 7.0.69-10.el7

Solaris: patch for Third Party 03/2016.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 11: new tomcat6 packages.
New packages are available:
  SUSE LE 11 SP4: tomcat6 6.0.45-0.50.1

SUSE LE 12: new tomcat packages.
New packages are available:
  SUSE LE 12 RTM: tomcat 7.0.68-7.6.1
  SUSE LE 12 SP1: tomcat 8.0.32-3.1

Ubuntu: new tomcat packages.
New packages are available:
  Ubuntu 16.04 LTS: libtomcat7-java 7.0.68-1ubuntu0.1
  Ubuntu 15.10: libtomcat7-java 7.0.64-1ubuntu0.3
  Ubuntu 14.04 LTS: libtomcat7-java 7.0.52-1ubuntu0.6
  Ubuntu 12.04 LTS: libtomcat6-java 6.0.35-1ubuntu3.7
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability patch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.