[manjaro-security] [arch-security] [ASA-201706-7] tomcat8: access restriction bypass

Remi Gacogne rgacogne at archlinux.org
Tue Jun 6 14:28:26 CEST 2017

Arch Linux Security Advisory ASA-201706-7

Severity: High
Date    : 2017-06-06
CVE-ID  : CVE-2017-5664
Package : tomcat8
Type    : access restriction bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-291


The package tomcat8 before version 8.0.44-1 is vulnerable to access
restriction bypass.


Upgrade to 8.0.44-1.

# pacman -Syu "tomcat8>=8.0.44-1"

The problem has been fixed upstream in version 8.0.44.




A security issue has been found in Apache Tomcat < 7.0.18 and < 8.0.44.
The error page mechanism of the Java Servlet Specification requires
that, when an error occurs and an error page is configured for the
error that occurred, the original request and response are forwarded to
the error page. This means that the request is presented to the error
page with the original HTTP method. If the error page is a static file,
expected behaviour is to serve the content of the file as if processing
a GET request, regardless of the actual HTTP method. Tomcat's Default
Servlet did not do this. Depending on the original request this could
lead to unexpected and undesirable results for static error pages
including, if the DefaultServlet is configured to permit writes, the
replacement or removal of the custom error page.


A remote attacker can alter, replace or remove the custom error page of
an affected server by sending an HTTP request with a specific method.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20170606/9d4d244b/attachment.sig>

More information about the manjaro-security mailing list