Messages from the Apache website:
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Affected versions (oschina currently uses 7.0.6 ):
-Tomcat 7.0.0 to 7.0.3
-Tomcat 6.0.0 to 6.0 .?
-Tomcat 5.5.0 to 5.5 .?
-Earlier, unsupported versions may also be affected
Vulnerability description:
When running under a SecurityManager, access to the file system is
Limited but web applications are granted read/write permissions to
Work directory. This directory is used for a variety of temporary files
Such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
Attribute that is meant to be read-only to web applications. However,
Due to a coding error, the read-only setting was not applied. Therefore
A malicious web application may modify the attribute before Tomcat
Applies the file permissions. This can be used to grant read/write
Permissions to any area on the file system which a malicious web
Application may then take advantage.
This vulnerability is only applicable when hosting web applications from
Untrusted sources such as shared hosting environments.
Example (Al licensed ):
Listener source
---------------
Package listeners;
Import javax. servlet. ServletContext;
Import javax. servlet. ServletContextEvent;
Import javax. servlet. ServletContextListener;
Public final class FooListener implements ServletContextListener {
Public void contextInitialized (ServletContextEvent event ){
ServletContext context = event. getServletContext ();
Java. io. File workdir = (java. io. File) context
. GetAttribute ("javax. servlet. context. tempdir ");
If (workdir. toString (). indexOf ("..") <0 ){
Context. setAttribute ("javax. servlet. context. tempdir ",
New java. io. File (workdir, "../conf "));
}
}
Public void contextDestroyed (ServletContextEvent event ){
}
}
Web. xml snippet
---------------
<Listener>
<Listener-class> listeners. FooListener </listener-class>
</Listener>
Mitigation:
Users of affected versions shocould apply one of the following mitigations:
-Upgrade to a Tomcat version where this issue is fixed
-Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
Http://tomcat.apache.org/security.html
Http://tomcat.apache.org/security-7.html
Http://tomcat.apache.org/security-6.html
Http://tomcat.apache.org/security-5.html