Top 5 Tomcat Vulnerabilities

Those who spend time monitoring and patching open source projects will be quite aware that Tomcat has some vulnerabilities.

Cybersecurity Live - Boston

Today, at the Nexus User Conference, we’ll be running down the top five of those vulnerabilities.

Constraint Bypass

Let’s first discuss constraint bypass.

With this vulnerability, a small window exists where a URL is available that shouldn’t be. For the example in the demo of this presentation, there was a simple account service, accessible through the “/account” url. There’s also “/account/withdrawal” that will remove money from the account in the demo.

Even though we use Servlet Security constraints on the /account url, if the /account/withdrawal is invoked first, it bypasses the security constraints.

To demonstrate, Jonathan Gallimore of Tomitribe showed a simple account screen where a user could withdrawal money from an account.

unnamed (9)

Jonathan also executed some curl against the /account/withdrawal endpoint, and instead of getting the expected 401 error, he received HTML. That indicates that the security was bypassed and we’re actually getting to the screen that should have been blocked by the Servlet Security code.

This was fixed in patches, so you should check your versions of Tomcat to make sure you’re protected from this particular vulnerability.

Denial of Service

With the denial of service vulnerability, you can create an infinite loop with the HTTP/2 protocol.

For example, Jonathan executed a curl GET request, adding a large header field with any text whatsoever. When he submitted the request, the request seemed to keep going. It never sent a response. In the console, you can see Tomcat stuck in an infinite loop that could bring your system down.

unnamed (10)

This can happen whenever you have HTTP/2 enabled with Tomcat 8.5.x and 9.x, though was fixed in 8.5.8 and 9.0.0.M13.

Remote Code (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Sylvia Fronczak. Read the original post at: