=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN259
_____________________________________________________________________

DATE                      : 01/07/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 9, Solaris 10 running Tomcat 4.0.

======================================================================
http://sunsolve.sun.com/search/document.do?assetkey=1-66-239312-1
______________________________________________________________________

Solution Type Sun Alert

Solution  239312 :   Security Vulnerabilities in Tomcat 4.0 Shipped
with Solaris 9 and 10

Bug ID
6575001

Product
Solaris 9 Operating System
Solaris 10 Operating System



Date of Workaround Release

30-Jun-2008



SA Document Body

Security Vulnerabilities in Tomcat 4.0  (see below)


1. Impact

There are several vulnerabilities in the Tomcat JSP/Servlet container
which affect Tomcat 4.0 bundled in Solaris 10 and Solaris 9.

These issues may allow a remote or local unprivileged user to cause
a denial of service (DoS), inject arbitrary web script or HTML via
Cross-Site Scripting (XSS) attempts, read arbitrary files and
source code from the server, or obtain the installation path and
other sensitive information.

Additional information regarding these issues is available at:

     * Apache Tomcat 4.x vulnerabilities:
http://tomcat.apache.org/security-4.html

     * CVE-2002-1148 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148

     * CVE-2002-1394 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394

     * CVE-2002-2006 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006

     * CVE-2003-0866 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0866

     * CVE-2005-2090 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090

     * CVE-2005-3164 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3164

     * CVE-2005-3510 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510

     * CVE-2006-3835 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835

     * CVE-2007-0450 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

     * CVE-2007-1355 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355

     * CVE-2007-1358 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358

     * CVE-2007-2450 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450

     * CVE-2007-5461 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461


2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

     * Solaris 9

     * Solaris 10 without patch 122911-12

x86 Platform

     * Solaris 9

     * Solaris 10 without patch 122912-12

A system is only vulnerable to the described issues if Tomcat 4.0
has been configured and is running on the system.

The following command can be executed to determine if the Tomcat 4.0
JSP/Servlet container is currently running on the system:

     $ /usr/bin/ps -ef | grep "usr/apache/tomcat/bin"
       nobody 11157     1   1 09:18:13 pts/1       0:09 
/usr/java/bin/java 
-Djava.endorsed.dirs=/usr/apache/tomcat/bin:/usr/apache/tomc


Note: Solaris 8 does not include support for Tomcat and so it
is not impacted by these issues.


3. Symptoms

There are no predictable symptoms that would indicate the described
issues have been exploited on a system.


4. Workaround

There is no workaround for these issues.


5. Resolution

These issues are addressed in the following releases:

SPARC Platform

     *

       Solaris 10 with patch 122911-12 or later

x86 Platform

     *

       Solaris 10 with patch 122912-12 or later


A final resolution is pending completion for Solaris 9.

Note 1: The above patches will install Tomcat 5.5 alongside the version
which was originally shipped, version 4.0. After installation,
existing applications should be migrated to the new version and the
old version should be decomissioned, in order to fully resolve
these issues.

Note 2:

Tomcat 5.5 is installed via patch in following paths
/usr/apache/tomcat55 and /var/apache/tomcat55 (where original version
4.0 remains in /usr/apache/tomcat and /var/apache/tomcat).

Note 3:

Tomcat 5.5 is started when the Apache 1.3 Web Server is started,
if the Tomcat 5.5 configuration file
/var/apache/tomcat55/conf/server.xml exists and the Apache 1.3 Web
Server configuration file /etc/apache/httpd.conf includes
/etc/apache/tomcat.conf (this file enables Apache Web Server Tomcat
connector).

The existing Tomcat 4.0 is still started, as previously, together
with Apache 1.3 Web Server if the Tomcat 4.0 configuration file
/var/apache/tomcat/conf/server.xml exists and the Apache 1.3 Web
Server configuration file /etc/apache/httpd.conf includes
/etc/apache/tomcat.conf. However, it will now only start if there
is no configuration file for Tomcat 5.5 located at
/var/apache/tomcat55/conf/server.xml.

Note 4:

When using Tomcat 4.0 with Apache 1.3 Web Server Tomcat connector
mod_webapp.so you will need also to migrate to mod_jk.so (by
modifying the /etc/apache/tomcat.conf file, which will have been
updated during patch install and which contains some limited
documentation in the comments).

Note 5:

Some of the vulnerabilities mentioned may require some amount of
reconfiguration or other mitigation in order to fully avoid
exposure. See the advisory published by the Apache organization
for further details about each vulnerability:

http://tomcat.apache.org/security-4.html



For more information on Security Sun Alerts, see Technical Instruction
ID 213557

http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1


This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
  Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================