Bug#864447: tomcat8: CVE-2017-5664: Security constrained bypass in error page mechanism

[Salvatore Bonaccorso]

Source: tomcat8
Version: 8.5.14-1
Severity: important
Tags: security patch upstream
Control: found -1 8.0.14-1

Hi,

the following vulnerability was published for tomcat8.

CVE-2017-5664[0]:
| The error page mechanism of the Java Servlet Specification requires
| that, when an error occurs and an error page is configured for the
| error that occurred, the original request and response are forwarded
| to the error page. This means that the request is presented to the
| error page with the original HTTP method. If the error page is a
| static file, expected behaviour is to serve content of the file as if
| processing a GET request, regardless of the actual HTTP method. The
| Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to
| 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this.
| Depending on the original request this could lead to unexpected and
| undesirable results for static error pages including, if the
| DefaultServlet is configured to permit writes, the replacement or
| removal of the custom error page. Notes for other user provided error
| pages: (1) Unless explicitly coded otherwise, JSPs ignore the the HTTP
| method. JSPs used as error pages must must ensure that they handle any
| error dispatch as a GET request, regardless of the actual method. (2)
| By default, the response generated by a Servlet does depend on the
| HTTP method. Custom Servlets used as error pages must ensure that they
| handle any error dispatch as a GET request, regardless of the actual
| method.

The security-tracker page[0] contains as well commits for the 7.0.x,
8.0.x, 8.5.x branches.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5664
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

Regards,
salvatore