Vigil@nce: Tomcat, three vulnerabilities of deployment
February 2010 by Vigil@nce
Three vulnerabilities of the deployment/undeployment feature of
Tomcat can be used by an attacker to create or delete files.
– Severity: 2/4
– Consequences: data creation/edition, data deletion, denial of
service of service
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 3
– Creation date: 25/01/2010
IMPACTED PRODUCTS
– Apache Tomcat
DESCRIPTION OF THE VULNERABILITY
Three vulnerabilities were announced in the
deployment/undeployment feature of Tomcat.
A malicious WAR file can contain "../..", in order to overwrite a
file outside the root, when it is deployed. [grav:2/4; BID-37944,
CVE-2009-2693, ERR-2009-3548]
When the autoDeploy is set (default case), if the undeployment
fails, files are left with invalid security constraints.
[grav:1/4; BID-37942, CVE-2009-2901]
When a WAR archive is named "...war", its deployment deletes files
of running applications (in directories work/engine_name/host_name).
[grav:2/4; BID-37945, CVE-2009-2902]
CHARACTERISTICS
– Identifiers: BID-37942, BID-37944, BID-37945, CVE-2009-2693,
CVE-2009-2901, CVE-2009-2902, ERR-2009-3548, VIGILANCE-VUL-9379
– Url: http://vigilance.fr/vulnerability/Tomcat-three-vulnerabilities-of-deployment-9379