Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-5148

JBCOMMON-115: CVE-2009-2693 tomcat: unexpected file deletion and/or alteration

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Blocker Blocker
    • EAP_EWP 5.1.2 ER1
    • EAP_EWP 5.1.0
    • Other
    • None
    • Release Notes
    • Hide
      SHORT DESCRIPTION:
              Provide fix for JBCOMMON-115.
      LONG DESCRIPTION:
              Patch for CVE-2009-2693.
      MANUAL INSTALL INSTRUCTIONS:
              Replace the existing %JBOSS_HOME%/lib/jboss-common-core.jar with the new jboss-common-core.jar
      COMPATIBILITY:
             5.1.0
      SUPERSEDES:
              N/A
      CREATOR:
              Mike Millson
      DATE:
              30-September-2010
      Show
      SHORT DESCRIPTION:         Provide fix for JBCOMMON-115. LONG DESCRIPTION:         Patch for CVE-2009-2693. MANUAL INSTALL INSTRUCTIONS:         Replace the existing %JBOSS_HOME%/lib/jboss-common-core.jar with the new jboss-common-core.jar COMPATIBILITY:        5.1.0 SUPERSEDES:         N/A CREATOR:         Mike Millson DATE:         30-September-2010
    • Hide
      Deployment file names were not previously checked for legal paths. Poorly-constructed file names could cause unexpected file deletions or alterations. The deployment files are now checked for legal paths, and an exception is thrown if an illegal path is used.
      Show
      Deployment file names were not previously checked for legal paths. Poorly-constructed file names could cause unexpected file deletions or alterations. The deployment files are now checked for legal paths, and an exception is thrown if an illegal path is used.
    • Documented as Resolved Issue

      CVE-2009-2693 tomcat: unexpected file deletion and/or alteration

      This was tested on EAP 5.1.0 CR3.5 and was not fixed. Creating a JIRA to address in the next release.

          • CVE-2009-2693 tomcat: unexpected file deletion and/or alteration
            NOT FIXED
            Deploy JBPAPP-3848-01.war from JBPAPP-3848 and than check content of run.sh/run.bat.
            Files can be still replaced, created outside of deploy directory.

      From Mike Milson:
      EAP 5.1.0 CR3.5 includes common core 2.2.16.GA[1]:
      <version.org.jboss.common.core>2.2.16.GA</version.org.jboss.common.core>
      The fix that was added to the EAP 4.2/4.3 commons CP branch[2] does not appear to have made it into common-core for EAP 5, at least I don't see it in trunk[3].
      References:
      [1]http://anonsvn.jboss.org/repos/jbossas/tags/JBPAPP_5_1_0_CR3.5/component-matrix/pom.xml
      [2]http://fisheye.jboss.org/browse/JBossCommon/common-old/branches/JBossCommon_1_2_1_GA_CP/src/main/org/jboss/util/file/JarUtils.java?r1=4240&r2=4241
      [3]http://fisheye.jboss.org/browse/JBossCommon/common-core/trunk/src/main/java/org/jboss/util/file/JarUtils.java

      From Marc:
      Hi, this is a low severity bug[1], as it mainly affects installations where you cannot per se trust the deployed apps (cloud, shared hosting).
      The correct revision fixing this issue is 1384 of 2.1.x JBossWeb branch [2].
      [1] http://tomcat.apache.org/security-6.html
      [2] http://intranet.corp.redhat.com/ic/intranet/JBossWebCVE.html

              pskopek@redhat.com Peter Skopek
              rrajasek@redhat.com Rajesh Rajasekaran
              Misty Stanley-Jones Misty Stanley-Jones (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: