Resolves: #2210630 CVE-2023-28709 tomcat

Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
This commit is contained in:
Hui Wang 2023-08-18 18:37:34 +08:00
parent f2eb7721df
commit bea4f83bae
6 changed files with 51 additions and 378 deletions

1
.gitignore vendored
View File

@ -1 +1,2 @@
/apache-tomcat-9.0.62-src.tar.gz
/tomcat-9.0.62.redhat-00013.tar.gz

View File

@ -0,0 +1,40 @@
diff --git a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
index f62f8d1..db19960 100644
--- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
+++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
@@ -611,34 +611,28 @@ public class JmxRemoteLifecycleListener extends SSLHostConfig implements Lifecyc
* Better to use the internal API than re-invent the wheel.
*/
@SuppressWarnings("restriction")
- private static class JmxRegistry extends sun.rmi.registry.RegistryImpl {
+ private static class JmxRegistry {
private static final long serialVersionUID = -3772054804656428217L;
private final String jmxName;
private final Remote jmxServer;
public JmxRegistry(int port, RMIClientSocketFactory csf,
RMIServerSocketFactory ssf, String jmxName, Remote jmxServer) throws RemoteException {
- super(port, csf, ssf);
this.jmxName = jmxName;
this.jmxServer = jmxServer;
}
- @Override
public Remote lookup(String name)
throws RemoteException, NotBoundException {
return (jmxName.equals(name)) ? jmxServer : null;
}
- @Override
public void bind(String name, Remote obj)
throws RemoteException, AlreadyBoundException, AccessException {
}
- @Override
public void unbind(String name)
throws RemoteException, NotBoundException, AccessException {
}
- @Override
public void rebind(String name, Remote obj)
throws RemoteException, AccessException {
}
- @Override
public String[] list() throws RemoteException {
return new String[] { jmxName };
}

View File

@ -1 +1 @@
SHA512 (apache-tomcat-9.0.62-src.tar.gz) = 7e9cad2703473d9f096009c464b28d54d3765259fab1923ef8c9b1cbfa231fa51cedadfe771a3a95abffd258759a71023e036bda78b949440a5e826fbd4e9e09
SHA512 (tomcat-9.0.62.redhat-00013.tar.gz) = f2fd99557bbdfff2811518c7ee25a699df8594371421780de04e378d73730e4f942b725156a4a96056e9782780af578ed6f9360983514598d13d2deaba209264

View File

@ -1,24 +0,0 @@
diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java ./java/org/apache/jasper/compiler/JDTCompiler.java
index 2e361f2..277d8f4 100644
--- java/org/apache/jasper/compiler/JDTCompiler.java
+++ java/org/apache/jasper/compiler/JDTCompiler.java
@@ -310,7 +310,7 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
} else if(opt.equals("15")) {
settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
+ settings.put(CompilerOptions.OPTION_Source, "16");
} else if(opt.equals("17")) {
// Constant not available in latest ECJ version that runs on
// Java 8.
@@ -377,8 +377,8 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
+ settings.put(CompilerOptions.OPTION_Compliance, "16");
} else if(opt.equals("17")) {
// Constant not available in latest ECJ version that runs on
// Java 8.

View File

@ -1,345 +0,0 @@
diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 8746b6b..dc878c6 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -1820,41 +1820,13 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
// shutting down the executor
boolean usingExecutor = false;
try {
-
- // Runnable wrapped by Thread
- // "target" in Sun/Oracle JDK
- // "runnable" in IBM JDK
- // "action" in Apache Harmony
- Object target = null;
- for (String fieldName : new String[] { "target", "runnable", "action" }) {
- try {
- Field targetField = thread.getClass().getDeclaredField(fieldName);
- targetField.setAccessible(true);
- target = targetField.get(thread);
- break;
- } catch (NoSuchFieldException nfe) {
- continue;
- }
- }
-
- // "java.util.concurrent" code is in public domain,
- // so all implementations are similar including our
- // internal fork.
- if (target != null && target.getClass().getCanonicalName() != null &&
- (target.getClass().getCanonicalName().equals(
- "org.apache.tomcat.util.threads.ThreadPoolExecutor.Worker") ||
- target.getClass().getCanonicalName().equals(
- "java.util.concurrent.ThreadPoolExecutor.Worker"))) {
- Field executorField = target.getClass().getDeclaredField("this$0");
- executorField.setAccessible(true);
- Object executor = executorField.get(target);
- if (executor instanceof ThreadPoolExecutor) {
- ((ThreadPoolExecutor) executor).shutdownNow();
- usingExecutor = true;
- } else if (executor instanceof java.util.concurrent.ThreadPoolExecutor) {
- ((java.util.concurrent.ThreadPoolExecutor) executor).shutdownNow();
- usingExecutor = true;
- }
+ Object executor = JreCompat.getInstance().getExecutor(thread);
+ if (executor instanceof ThreadPoolExecutor) {
+ ((ThreadPoolExecutor) executor).shutdownNow();
+ usingExecutor = true;
+ } else if (executor instanceof java.util.concurrent.ThreadPoolExecutor) {
+ ((java.util.concurrent.ThreadPoolExecutor) executor).shutdownNow();
+ usingExecutor = true;
}
} catch (NoSuchFieldException | IllegalAccessException | RuntimeException e) {
// InaccessibleObjectException is only available in Java 9+,
@@ -2306,6 +2278,12 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
private void clearReferencesObjectStreamClassCaches() {
+ if (JreCompat.isJre19Available()) {
+ // The memory leak this fixes has been fixed in Java 19 onwards,
+ // 17.0.4 onwards and 11.0.16 onwards
+ // See https://bugs.openjdk.java.net/browse/JDK-8277072
+ return;
+ }
try {
Class<?> clazz = Class.forName("java.io.ObjectStreamClass$Caches");
clearCache(clazz, "localDescs");
@@ -2333,14 +2311,19 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
throws ReflectiveOperationException, SecurityException, ClassCastException {
Field f = target.getDeclaredField(mapName);
f.setAccessible(true);
- Map<?,?> map = (Map<?,?>) f.get(null);
- Iterator<?> keys = map.keySet().iterator();
- while (keys.hasNext()) {
- Object key = keys.next();
- if (key instanceof Reference) {
- Object clazz = ((Reference<?>) key).get();
- if (loadedByThisOrChild(clazz)) {
- keys.remove();
+ Object map = f.get(null);
+ // Avoid trying to clear references if Tomcat is running on a JRE that
+ // includes the fix for this memory leak
+ // See https://bugs.openjdk.java.net/browse/JDK-8277072
+ if (map instanceof Map<?,?>) {
+ Iterator<?> keys = ((Map<?,?>) map).keySet().iterator();
+ while (keys.hasNext()) {
+ Object key = keys.next();
+ if (key instanceof Reference) {
+ Object clazz = ((Reference<?>) key).get();
+ if (loadedByThisOrChild(clazz)) {
+ keys.remove();
+ }
}
}
}
diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java b/java/org/apache/tomcat/util/compat/JreCompat.java
index 62df145..e5df728 100644
--- a/java/org/apache/tomcat/util/compat/JreCompat.java
+++ b/java/org/apache/tomcat/util/compat/JreCompat.java
@@ -19,6 +19,7 @@ package org.apache.tomcat.util.compat;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.AccessibleObject;
+import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.SocketAddress;
@@ -45,6 +46,7 @@ public class JreCompat {
private static final JreCompat instance;
private static final boolean graalAvailable;
+ private static final boolean jre19Available;
private static final boolean jre16Available;
private static final boolean jre11Available;
private static final boolean jre9Available;
@@ -67,18 +69,26 @@ public class JreCompat {
// This is Tomcat 9 with a minimum Java version of Java 8.
// Look for the highest supported JVM first
- if (Jre16Compat.isSupported()) {
+ if (Jre19Compat.isSupported()) {
+ instance = new Jre19Compat();
+ jre9Available = true;
+ jre16Available = true;
+ jre19Available = true;
+ } else if (Jre16Compat.isSupported()) {
instance = new Jre16Compat();
jre9Available = true;
jre16Available = true;
+ jre19Available = false;
} else if (Jre9Compat.isSupported()) {
instance = new Jre9Compat();
jre9Available = true;
jre16Available = false;
+ jre19Available = false;
} else {
instance = new JreCompat();
jre9Available = false;
jre16Available = false;
+ jre19Available = false;
}
jre11Available = instance.jarFileRuntimeMajorVersion() >= 11;
@@ -124,6 +134,9 @@ public class JreCompat {
return jre16Available;
}
+ public static boolean isJre19Available() {
+ return jre19Available;
+ }
// Java 8 implementation of Java 9 methods
@@ -303,6 +316,8 @@ public class JreCompat {
}
+ // Java 8 implementations of Java 16 methods
+
/**
* Return Unix domain socket address for given path.
* @param path The path
@@ -329,4 +344,63 @@ public class JreCompat {
public SocketChannel openUnixDomainSocketChannel() {
throw new UnsupportedOperationException(sm.getString("jreCompat.noUnixDomainSocket"));
}
+
+
+ // Java 8 implementations of Java 19 methods
+
+ /**
+ * Obtains the executor, if any, used to create the provided thread.
+ *
+ * @param thread The thread to examine
+ *
+ * @return The executor, if any, that created the provided thread
+ *
+ * @throws NoSuchFieldException
+ * If a field used via reflection to obtain the executor cannot
+ * be found
+ * @throws SecurityException
+ * If a security exception occurs while trying to identify the
+ * executor
+ * @throws IllegalArgumentException
+ * If the instance object does not match the class of the field
+ * when obtaining a field value via reflection
+ * @throws IllegalAccessException
+ * If a field is not accessible due to access restrictions
+ */
+ public Object getExecutor(Thread thread)
+ throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
+
+ Object result = null;
+
+ // Runnable wrapped by Thread
+ // "target" in Sun/Oracle JDK
+ // "runnable" in IBM JDK
+ // "action" in Apache Harmony
+ Object target = null;
+ for (String fieldName : new String[] { "target", "runnable", "action" }) {
+ try {
+ Field targetField = thread.getClass().getDeclaredField(fieldName);
+ targetField.setAccessible(true);
+ target = targetField.get(thread);
+ break;
+ } catch (NoSuchFieldException nfe) {
+ continue;
+ }
+ }
+
+ // "java.util.concurrent" code is in public domain,
+ // so all implementations are similar including our
+ // internal fork.
+ if (target != null && target.getClass().getCanonicalName() != null &&
+ (target.getClass().getCanonicalName().equals(
+ "org.apache.tomcat.util.threads.ThreadPoolExecutor.Worker") ||
+ target.getClass().getCanonicalName().equals(
+ "java.util.concurrent.ThreadPoolExecutor.Worker"))) {
+ Field executorField = target.getClass().getDeclaredField("this$0");
+ executorField.setAccessible(true);
+ result = executorField.get(target);
+ }
+
+ return result;
+ }
}
diff --git a/java/org/apache/tomcat/util/compat/LocalStrings.properties b/java/org/apache/tomcat/util/compat/LocalStrings.properties
index 79427da..c4c2f7d 100644
--- a/java/org/apache/tomcat/util/compat/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/compat/LocalStrings.properties
@@ -16,6 +16,8 @@
jre16Compat.javaPre16=Class not found so assuming code is running on a pre-Java 16 JVM
jre16Compat.unexpected=Failed to create references to Java 16 classes and methods
+jre19Compat.javaPre19=Class not found so assuming code is running on a pre-Java 19 JVM
+
jre9Compat.invalidModuleUri=The module URI provided [{0}] could not be converted to a URL for the JarScanner to process
jre9Compat.javaPre9=Class not found so assuming code is running on a pre-Java 9 JVM
jre9Compat.unexpected=Failed to create references to Java 9 classes and methods
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index d118196..42dfe38 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -769,7 +769,11 @@
therefore requires that the command line option
<code>-XaddExports:java.base/java.io=ALL-UNNAMED</code> is set
when running on Java 9 and above. If not specified, the default value of
- <code>true</code> will be used.</p>
+ <code>true</code> will be used.</p>
+ <p>The memory leak associated with <code>ObjectStreamClass</code> has
+ been fixed in Java 19 onwards, Java 17.0.4 onwards and Java 11.0.16
+ onwards. The check will be disabled when running on a version
+ of Java that contains the fix.</p>
</attribute>
<attribute name="clearReferencesRmiTargets" required="false">
diff --git a/java/org/apache/tomcat/util/compat/Jre19Compat.java b/java/org/apache/tomcat/util/compat/Jre19Compat.java
new file mode 100644
index 0000000000..fb94810b40
--- /dev/null
+++ b/java/org/apache/tomcat/util/compat/Jre19Compat.java
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+import java.lang.reflect.Field;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+public class Jre19Compat extends Jre16Compat {
+
+ private static final Log log = LogFactory.getLog(Jre19Compat.class);
+ private static final StringManager sm = StringManager.getManager(Jre19Compat.class);
+
+ private static final boolean supported;
+
+ static {
+ // Don't need any Java 19 specific classes (yet) so just test for one of
+ // the new ones for now.
+ Class<?> c1 = null;
+ try {
+ c1 = Class.forName("java.lang.WrongThreadException");
+ } catch (ClassNotFoundException cnfe) {
+ // Must be pre-Java 16
+ log.debug(sm.getString("jre19Compat.javaPre19"), cnfe);
+ }
+
+ supported = (c1 != null);
+ }
+
+ static boolean isSupported() {
+ return supported;
+ }
+
+ @Override
+ public Object getExecutor(Thread thread)
+ throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
+
+ Object result = super.getExecutor(thread);
+
+ if (result == null) {
+ Object holder = null;
+ Object task = null;
+ try {
+ Field holderField = thread.getClass().getDeclaredField("holder");
+ holderField.setAccessible(true);
+ holder = holderField.get(thread);
+
+ Field taskField = holder.getClass().getDeclaredField("task");
+ taskField.setAccessible(true);
+ task = taskField.get(holder);
+ } catch (NoSuchFieldException nfe) {
+ return null;
+ }
+
+ if (task!= null && task.getClass().getCanonicalName() != null &&
+ (task.getClass().getCanonicalName().equals(
+ "org.apache.tomcat.util.threads.ThreadPoolExecutor.Worker") ||
+ task.getClass().getCanonicalName().equals(
+ "java.util.concurrent.ThreadPoolExecutor.Worker"))) {
+ Field executorField = task.getClass().getDeclaredField("this$0");
+ executorField.setAccessible(true);
+ result = executorField.get(task);
+ }
+ }
+
+ return result;
+ }
+}

View File

@ -32,7 +32,7 @@
%global major_version 9
%global minor_version 0
%global micro_version 62
%global packdname apache-tomcat-%{version}-src
%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00013
%global servletspec 4.0
%global elspec 3.0
%global tcuid 53
@ -56,12 +56,12 @@
Name: tomcat
Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 9%{?dist}
Release: 10%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
License: ASL 2.0
URL: http://tomcat.apache.org/
Source0: http://www.apache.org/dist/tomcat/tomcat-%{major_version}/v%{version}/src/%{packdname}.tar.gz
Source0: %{packdname}.tar.gz
Source1: %{name}-%{major_version}.%{minor_version}.conf
Source3: %{name}-%{major_version}.%{minor_version}.sysconfig
Source4: %{name}-%{major_version}.%{minor_version}.wrapper
@ -80,11 +80,9 @@ Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
Patch2: %{name}-build.patch
Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
Patch4: rhbz-1857043.patch
Patch5: %{name}-%{major_version}.%{minor_version}-JDTCompiler.patch
# remove bnd dependency which version is too low on rhel8
Patch6: remove-bnd-annotation.patch
# The fixes for memory leak which have been fixed in 9.0.64, remove this patch in the next tomcat update
Patch7: %{name}-%{major_version}.%{minor_version}-memory-leak.patch
Patch7: JmxRemoteLifecycleListener.patch
Patch8: fix-malformed-dtd.patch
BuildArch: noarch
@ -230,7 +228,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch -P2 -p0
%patch -P3 -p0
%patch -P4 -p0
%patch -P5 -p0
%patch -P6 -p1
%patch -P7 -p1
%patch -P8 -p1
@ -271,7 +268,7 @@ touch HACK
deploy
# remove some jars that we'll replace with symlinks later
%{__rm} output/build/bin/commons-daemon.jar output/build/lib/ecj.jar
%{__rm} output/build/lib/ecj.jar
# Remove the example webapps per Apache Tomcat Security Considerations
# see https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
%{__rm} -rf output/build/webapps/examples
@ -599,6 +596,10 @@ fi
%changelog
* Fri Aug 18 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-10
- Resolves: #2210630 CVE-2023-28709 tomcat
- Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
* Thu Aug 17 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-9
- Resolves: #2184135 Add Obsoletes to tomcat package