The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Apache Tomcat: directory traversal of ServletContext

Synthesis of the vulnerability

An attacker, who is allowed to upload a malicious web application on the service, can traverse directories in ServletContext of Apache Tomcat, in order to read the content of a directory outside the service root path.
Severity of this bulletin: 2/4.
Creation date: 22/02/2016.
Références of this threat: 1980693, 1981632, 1983989, bulletinjan2016, c05054964, c05150442, cpujul2018, CVE-2015-5174, DSA-3530-1, DSA-3552-1, DSA-3609-1, HPSBUX03561, HPSBUX03606, JSA10838, K30971148, NTAP-20180531-0001, openSUSE-SU-2016:0865-1, RHSA-2016:1432-01, RHSA-2016:1433-01, RHSA-2016:1434-01, RHSA-2016:1435-01, RHSA-2016:2045-01, RHSA-2016:2599-02, SOL30971148, SUSE-SU-2016:0769-1, SUSE-SU-2016:0822-1, SUSE-SU-2016:0839-1, USN-3024-1, VIGILANCE-VUL-18993.

Description of the vulnerability

The Apache Tomcat product can execute a web application from an untrusted source with a Security Manager.

However, the getResource(), getResourceAsStream() and getResourcePaths() methods of ServletContext insert user's data directly in an access path. Sequences such as "/.." can thus be used by the web application to go in the upper directory.

An attacker, who is allowed to upload a malicious web application on the service, can therefore traverse directories in ServletContext of Apache Tomcat, in order to read the content of a directory outside the service root path.
Full Vigil@nce bulletin... (Request your free trial)

This threat impacts software or systems such as Tomcat, Debian, BIG-IP Hardware, TMOS, HP-UX, QRadar SIEM, Tivoli Directory Server, Junos Space, Snap Creator Framework, openSUSE Leap, Oracle Communications, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer threat is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity bulletin.

Solutions for this threat

Apache Tomcat: version 8.0.27.
The version 8.0.27 is fixed:
  http://tomcat.apache.org/download-80.cgi

Apache Tomcat: version 7.0.65.
The version 7.0.65 is fixed:
  http://tomcat.apache.org/download-70.cgi

Apache Tomcat: version 6.0.45.
The version 6.0.45 is fixed:
  http://tomcat.apache.org/download-60.cgi

Debian: new tomcat6 packages.
New packages are available:
  Debian 7: tomcat6 6.0.45+dfsg-1~deb7u1

Debian: new tomcat7 packages.
New packages are available:
  Debian 7: tomcat7 7.0.28-4+deb7u4
  Debian 8: tomcat7 7.0.56-3+deb8u2

Debian: new tomcat8 packages.
New packages are available:
  Debian 8: tomcat8 8.0.14-1+deb8u2

F5 BIG-IP: solution for Tomcat 6.
The solution is indicated in information sources.

HP-UX: Tomcat version 6.0.45.01.
Tomcat version 6.0.45.01 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW407

HP-UX: version D.7.0.68.01.
The version D.7.0.68.01 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWST706801

IBM QRadar SIEM: patch for Tomcat.
A patch is indicated in information sources.

IBM Rational Directory Server: patch for Tomcat.
A patch is indicated in information sources.

IBM TADDM: patch for Tomcat.
A patch is indicated in information sources.

Junos Space: fixed versions.
Fixed versions are indicated in information sources.

NetApp Snap Creator Framework: patch for Tomcat.
A patch is available:
  https://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3P1/

openSUSE Leap 42.1: new tomcat packages.
New packages are available:
  openSUSE Leap 42.1: tomcat 8.0.32-5.1

Oracle Communications: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2410237.1
  https://support.oracle.com/rs?type=doc&id=2406191.1
  https://support.oracle.com/rs?type=doc&id=2410234.1
  https://support.oracle.com/rs?type=doc&id=2408211.1
  https://support.oracle.com/rs?type=doc&id=2406689.1
  https://support.oracle.com/rs?type=doc&id=2408212.1
  https://support.oracle.com/rs?type=doc&id=2410243.1
  https://support.oracle.com/rs?type=doc&id=2410198.1

Red Hat JBoss EAP: version 6.4.9.
The version 6.4.9 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4

RHEL 6.8: new tomcat6 packages.
New packages are available:
  RHEL 6: tomcat6 6.0.24-98.el6_8

RHEL 7: new tomcat packages.
New packages are available:
  RHEL 7: tomcat 7.0.69-10.el7

Solaris: patch for Third Party 03/2016.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 11: new tomcat6 packages.
New packages are available:
  SUSE LE 11 SP4: tomcat6 6.0.45-0.50.1

SUSE LE 12: new tomcat packages.
New packages are available:
  SUSE LE 12 RTM: tomcat 7.0.68-7.6.1
  SUSE LE 12 SP1: tomcat 8.0.32-3.1

Ubuntu: new tomcat packages.
New packages are available:
  Ubuntu 16.04 LTS: libtomcat7-java 7.0.68-1ubuntu0.1
  Ubuntu 15.10: libtomcat7-java 7.0.64-1ubuntu0.3
  Ubuntu 14.04 LTS: libtomcat7-java 7.0.52-1ubuntu0.6
  Ubuntu 12.04 LTS: libtomcat6-java 6.0.35-1ubuntu3.7
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerability patch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.