[Bug 350653] New: VUL-0: tomcat: too lax access restrictions
https://bugzilla.novell.com/show_bug.cgi?id=350653 Summary: VUL-0: tomcat: too lax access restrictions Product: openSUSE 10.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Java AssignedTo: bnc-team-java@forge.provo.novell.com ReportedBy: meissner@novell.com QAContact: qa@suse.de Found By: --- bug is public CVE-2007-5342: Tomcat's default security policy is too open Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.9 to 5.5.25 Tomcat 6.0.0 to 6.0.15 Description: The JULI logging component allows web applications to provide their own logging configurations. The default security policy does not restrict this configuration and allows an untrusted web application to add files or overwrite existing files where the Tomcat process has the necessary file permissions to do so. Mitigation: Apply the following patch to the catalina.policy file http://svn.apache.org/viewvc?rev=606594&view=rev The patch will be included in 5.5.25 onwards and 6.0.16 onwards This patch is also included at the end of this announcement Example: An application could have its own WEB-INF/classes/logging.properties handlers = org.apache.juli.FileHandler org.apache.juli.FileHandler.level = FINE org.apache.juli.FileHandler.directory = ${catalina.base}/logs org.apache.juli.FileHandler.prefix = mylog. Credit: This issue was discovered by Delian Krustev. References: http://tomcat.apache.org/security.html Mark Thomas -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=350653
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=350653#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=350653
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=350653#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=350653
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=350653
User mvyskocil@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=350653#c3
--- Comment #3 from Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=350653
User mvyskocil@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=350653#c4
--- Comment #4 from Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=350653
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=350653
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=350653#c5
--- Comment #5 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=350653
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=350653#c6
Ludwig Nussel
participants (1)
-
bugzilla_noreply@novell.com