Mark Koek–February 22, 2016

Information disclosure vulnerability in Apache Tomcat

On a pentest for a client we discovered a way to obtain information about a web application’s internal structure from the network. We reported the issue to the vendor and a fix was released. The following security advisory details the vulnerability and how to resolve it.

CVE reference:	CVE-2015-5345
CVSS score:	5.1 (medium)
CVSS vector:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C

Affected systems

Apache Tomcat 9.0.0.M1
Apache Tomcat 8.0.0 to 8.0.29
Apache Tomcat 7.0.0 to 7.0.67
Apache Tomcat 6.0.0 to 6.0.44
Status of older (unsupported) versions of Apache Tomcat is unknown

Overview

Because the Apache Tomcat application server responds to HTTP requests for directories with a redirect (appending a trailing slash) if the directory exists in the application’s .war file, remote unauthenticated users could detect the presence of an application, and map out the internal structure of the application using a dictionary attack.

Impact

The impact of this issue is limited. The presence of a web application can be detected, and the use of Java can be detected even if identifying headers have been disabled (by trying to request the WEB-INF directory). Also, an attacker can determine if a certain string is a valid directory name in the application’s .war file.

Solution

Upgrade your Apache Tomcat installation to at least version 9.0.0.M3, 8.0.30, 7.0.68 or 6.0.45.

Note that two new configuration directives were introduced in these versions of Apache Tomcat, one to re-enable Tomcat identifying directories (mapperDirectoryRedirectEnabled, off by default), and one to enable the web application presence identifying behaviour (mapperContextRootRedirectEnabled, on by default because switching it off might cause issues with existing web applications).

So to completely solve this issue, update Apache Tomcat and switch off mapperContextRootRedirectEnabled for any web applications that you wish to be undetectable by unauthenticated visitors.

Note (2) that earlier minor versions of Apache 6, 7, and 8 released after October 2015 may also be not vulnerable to this issue as fixes were introduced but re-engineered in the current versions due to regression issues. Update to at least one of the versions listed above to be sure of having the fix as described.

Note (3) that the issue is only fixed for directories that have a <security-constraint> defined for them (such as WEB-INF/). For regular directories the redirection is not disabled.

Technical details

When a request is received for a non-existent resource, Tomcat responds with a response code of 404 as normal. However if there is a directory in the application’s .war file corresponding to the requested name, Tomcat responds with a 302 redirect, adding a trailing slash to the request (which only then yields the 404).

For example:

Requested URL:	http://server/does-not-exist
HTTP response:	HTTP/1.1 404 Not Found

Requested URL:	http://server/WEB-INF
HTTP response:	HTTP/1.1 302 Found Location: http://server/WEB-INF/

Requested URL:	http://server/WEB-INF/
HTTP response:	HTTP/1.1 404 Not Found

Responsible disclosure timeline

12-Oct-2015: reported to the Apache Tomcat Security Team
13-Oct-2015: report acknowledged
21-Oct-2015: confirmed as a low-risk security issue and informed that it would be fixed
19-Nov-2015: CVE assigned and fix committed
Dec-2015: initial updates released for Tomcat 6, 7, 8, and 9. Because a regression occurred for some users the announcement was postponed until new versions were available with the fix as an optional configuration parameter (see above).
08-Feb-2016: Apache Tomcat 9.0.0.M3 released
10-Feb-2016: Apache Tomcat 8.0.32 released
12-Feb-2016: Apache Tomcat 6.0.45 released
18-Feb-2016: Apache Tomcat 7.0.68 released
22-Feb-2016: announcement released, this document published