The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Tomcat: ignored ServletSecurity annotation

Synthesis of the vulnerability 

An attacker can access to HTTP methods which should be blocked by ServletSecurity annotations.
Impacted products: Tomcat.
Severity of this bulletin: 3/4.
Creation date: 17/05/2011.
Revision date: 18/05/2011.
Références of this threat: BID-47886, CERTA-2011-AVI-301, CVE-2011-1582, VIGILANCE-VUL-10665.

Description of the vulnerability 

In Java language, annotations add a special property to an element. For example:
  @Deprecated public int myFunction() [the function is deprecated]
  @TODO(...) public int myFunction() [some code has to be developed]

The @ServletSecurity annotation of JavaEE 6 Servlet 3.0 limits the access to doGet(), doHead(), doPost(), etc. methods of a HttpServlet class. For example:
  @ServletSecurity(@HttpConstraint(rolesAllowed={"..."})) [one role allowed]
  @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY)) [no role allowed]
  @ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL)) [https compulsory]
A developper can use them to limit the access to HTTP GET, HEAD, POST, etc. methods.

However, Tomcat 7 ignores these annotations at the first call of the servlet..

An attacker can therefore access to HTTP methods which should be blocked by ServletSecurity annotations.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability note impacts software or systems such as Tomcat.

Our Vigil@nce team determined that the severity of this cybersecurity vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer threat note.

Solutions for this threat 

Tomcat: version 7.0.14.
The version 7.0.14 is corrected:
  http://tomcat.apache.org/download-70.cgi
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability note. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.