[tomcat7] 03/03: Fixed CVE-2016-8735: Remote Code Execution
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Fri Dec 9 00:34:48 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch jessie
in repository tomcat7.
commit ca577e895d14937c63f5ca7424c99f4c83cefb8d
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Fri Dec 9 00:46:49 2016 +0100
Fixed CVE-2016-8735: Remote Code Execution
---
debian/changelog | 7 +++++++
debian/patches/CVE-2016-8735.patch | 30 ++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 38 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index a681196..103038b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,13 @@ tomcat7 (7.0.56-3+deb8u6) UNRELEASED; urgency=medium
interpretation, to inject data into the HTTP response. By manipulating the
HTTP response the attacker could poison a web-cache, perform an XSS attack
and/or obtain sensitive information from requests other then their own.
+ * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
+ account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
+ using this listener remained vulnerable to a similar remote code execution
+ vulnerability. This issue has been rated as important rather than critical
+ due to the small number of installations using this listener and that it
+ would be highly unusual for the JMX ports to be accessible to an attacker
+ even when the listener is used.
* Backported the fix for upstream bug 57377: Remove the restriction that
prevented the use of SSL when specifying a bind address for the JMX/RMI
server. Enable SSL to be configured for the registry as well as the server.
diff --git a/debian/patches/CVE-2016-8735.patch b/debian/patches/CVE-2016-8735.patch
new file mode 100644
index 0000000..f9c4b10
--- /dev/null
+++ b/debian/patches/CVE-2016-8735.patch
@@ -0,0 +1,30 @@
+Description: Fixes CVE-2016-8735: The JmxRemoteLifecycleListener was not updated
+ to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
+ using this listener remained vulnerable to a similar remote code execution
+ vulnerability. This issue has been rated as important rather than critical due
+ to the small number of installations using this listener and that it would be
+ highly unusual for the JMX ports to be accessible to an attacker even when the
+ listener is used.
+Origin: backport, https://svn.apache.org/r1767676
+--- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
++++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
+@@ -264,6 +264,10 @@
+ serverCsf = new RmiClientLocalhostSocketFactory(serverCsf);
+ }
+
++ env.put("jmx.remote.rmi.server.credential.types", new String[] {
++ String[].class.getName(),
++ String.class.getName() });
++
+ // Populate the env properties used to create the server
+ if (serverCsf != null) {
+ env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, serverCsf);
+@@ -328,7 +332,7 @@
+ cs = new RMIConnectorServer(serviceUrl, theEnv, server,
+ ManagementFactory.getPlatformMBeanServer());
+ cs.start();
+- registry.bind("jmxrmi", server);
++ registry.bind("jmxrmi", server.toStub());
+ log.info(sm.getString("jmxRemoteLifecycleListener.start",
+ Integer.toString(theRmiRegistryPort),
+ Integer.toString(theRmiServerPort), serverName));
diff --git a/debian/patches/series b/debian/patches/series
index 26401e9..26a94e4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -36,3 +36,4 @@ CVE-2016-6796.patch
CVE-2016-6797.patch
CVE-2016-6816.patch
BZ-57377.patch
+CVE-2016-8735.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list