From bea4f83bae4c9e01e3110b68aea2d26bd44fdafe Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Fri, 18 Aug 2023 18:37:34 +0800 Subject: [PATCH] Resolves: #2210630 CVE-2023-28709 tomcat Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure --- .gitignore | 1 + JmxRemoteLifecycleListener.patch | 40 ++++ sources | 2 +- tomcat-9.0-JDTCompiler.patch | 24 --- tomcat-9.0-memory-leak.patch | 345 ------------------------------- tomcat.spec | 17 +- 6 files changed, 51 insertions(+), 378 deletions(-) create mode 100644 JmxRemoteLifecycleListener.patch delete mode 100644 tomcat-9.0-JDTCompiler.patch delete mode 100644 tomcat-9.0-memory-leak.patch diff --git a/.gitignore b/.gitignore index 68ff86f..8a7306a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /apache-tomcat-9.0.62-src.tar.gz +/tomcat-9.0.62.redhat-00013.tar.gz diff --git a/JmxRemoteLifecycleListener.patch b/JmxRemoteLifecycleListener.patch new file mode 100644 index 0000000..3145a54 --- /dev/null +++ b/JmxRemoteLifecycleListener.patch @@ -0,0 +1,40 @@ +diff --git a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java +index f62f8d1..db19960 100644 +--- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java ++++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java +@@ -611,34 +611,28 @@ public class JmxRemoteLifecycleListener extends SSLHostConfig implements Lifecyc + * Better to use the internal API than re-invent the wheel. + */ + @SuppressWarnings("restriction") +- private static class JmxRegistry extends sun.rmi.registry.RegistryImpl { ++ private static class JmxRegistry { + private static final long serialVersionUID = -3772054804656428217L; + private final String jmxName; + private final Remote jmxServer; + public JmxRegistry(int port, RMIClientSocketFactory csf, + RMIServerSocketFactory ssf, String jmxName, Remote jmxServer) throws RemoteException { +- super(port, csf, ssf); + this.jmxName = jmxName; + this.jmxServer = jmxServer; + } +- @Override + public Remote lookup(String name) + throws RemoteException, NotBoundException { + return (jmxName.equals(name)) ? jmxServer : null; + } +- @Override + public void bind(String name, Remote obj) + throws RemoteException, AlreadyBoundException, AccessException { + } +- @Override + public void unbind(String name) + throws RemoteException, NotBoundException, AccessException { + } +- @Override + public void rebind(String name, Remote obj) + throws RemoteException, AccessException { + } +- @Override + public String[] list() throws RemoteException { + return new String[] { jmxName }; + } diff --git a/sources b/sources index 00563eb..6e3c3b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.62-src.tar.gz) = 7e9cad2703473d9f096009c464b28d54d3765259fab1923ef8c9b1cbfa231fa51cedadfe771a3a95abffd258759a71023e036bda78b949440a5e826fbd4e9e09 +SHA512 (tomcat-9.0.62.redhat-00013.tar.gz) = f2fd99557bbdfff2811518c7ee25a699df8594371421780de04e378d73730e4f942b725156a4a96056e9782780af578ed6f9360983514598d13d2deaba209264 diff --git a/tomcat-9.0-JDTCompiler.patch b/tomcat-9.0-JDTCompiler.patch deleted file mode 100644 index edf156a..0000000 --- a/tomcat-9.0-JDTCompiler.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java ./java/org/apache/jasper/compiler/JDTCompiler.java -index 2e361f2..277d8f4 100644 ---- java/org/apache/jasper/compiler/JDTCompiler.java -+++ java/org/apache/jasper/compiler/JDTCompiler.java -@@ -310,7 +310,7 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler { - } else if(opt.equals("15")) { - settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15); - } else if(opt.equals("16")) { -- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16); -+ settings.put(CompilerOptions.OPTION_Source, "16"); - } else if(opt.equals("17")) { - // Constant not available in latest ECJ version that runs on - // Java 8. -@@ -377,8 +377,8 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler { - settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15); - settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15); - } else if(opt.equals("16")) { -- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16); -- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16); -+ settings.put(CompilerOptions.OPTION_TargetPlatform, "16"); -+ settings.put(CompilerOptions.OPTION_Compliance, "16"); - } else if(opt.equals("17")) { - // Constant not available in latest ECJ version that runs on - // Java 8. diff --git a/tomcat-9.0-memory-leak.patch b/tomcat-9.0-memory-leak.patch deleted file mode 100644 index 00e6e56..0000000 --- a/tomcat-9.0-memory-leak.patch +++ /dev/null @@ -1,345 +0,0 @@ -diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java b/java/org/apache/catalina/loader/WebappClassLoaderBase.java -index 8746b6b..dc878c6 100644 ---- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java -+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java -@@ -1820,41 +1820,13 @@ public abstract class WebappClassLoaderBase extends URLClassLoader - // shutting down the executor - boolean usingExecutor = false; - try { -- -- // Runnable wrapped by Thread -- // "target" in Sun/Oracle JDK -- // "runnable" in IBM JDK -- // "action" in Apache Harmony -- Object target = null; -- for (String fieldName : new String[] { "target", "runnable", "action" }) { -- try { -- Field targetField = thread.getClass().getDeclaredField(fieldName); -- targetField.setAccessible(true); -- target = targetField.get(thread); -- break; -- } catch (NoSuchFieldException nfe) { -- continue; -- } -- } -- -- // "java.util.concurrent" code is in public domain, -- // so all implementations are similar including our -- // internal fork. -- if (target != null && target.getClass().getCanonicalName() != null && -- (target.getClass().getCanonicalName().equals( -- "org.apache.tomcat.util.threads.ThreadPoolExecutor.Worker") || -- target.getClass().getCanonicalName().equals( -- "java.util.concurrent.ThreadPoolExecutor.Worker"))) { -- Field executorField = target.getClass().getDeclaredField("this$0"); -- executorField.setAccessible(true); -- Object executor = executorField.get(target); -- if (executor instanceof ThreadPoolExecutor) { -- ((ThreadPoolExecutor) executor).shutdownNow(); -- usingExecutor = true; -- } else if (executor instanceof java.util.concurrent.ThreadPoolExecutor) { -- ((java.util.concurrent.ThreadPoolExecutor) executor).shutdownNow(); -- usingExecutor = true; -- } -+ Object executor = JreCompat.getInstance().getExecutor(thread); -+ if (executor instanceof ThreadPoolExecutor) { -+ ((ThreadPoolExecutor) executor).shutdownNow(); -+ usingExecutor = true; -+ } else if (executor instanceof java.util.concurrent.ThreadPoolExecutor) { -+ ((java.util.concurrent.ThreadPoolExecutor) executor).shutdownNow(); -+ usingExecutor = true; - } - } catch (NoSuchFieldException | IllegalAccessException | RuntimeException e) { - // InaccessibleObjectException is only available in Java 9+, -@@ -2306,6 +2278,12 @@ public abstract class WebappClassLoaderBase extends URLClassLoader - - - private void clearReferencesObjectStreamClassCaches() { -+ if (JreCompat.isJre19Available()) { -+ // The memory leak this fixes has been fixed in Java 19 onwards, -+ // 17.0.4 onwards and 11.0.16 onwards -+ // See https://bugs.openjdk.java.net/browse/JDK-8277072 -+ return; -+ } - try { - Class clazz = Class.forName("java.io.ObjectStreamClass$Caches"); - clearCache(clazz, "localDescs"); -@@ -2333,14 +2311,19 @@ public abstract class WebappClassLoaderBase extends URLClassLoader - throws ReflectiveOperationException, SecurityException, ClassCastException { - Field f = target.getDeclaredField(mapName); - f.setAccessible(true); -- Map map = (Map) f.get(null); -- Iterator keys = map.keySet().iterator(); -- while (keys.hasNext()) { -- Object key = keys.next(); -- if (key instanceof Reference) { -- Object clazz = ((Reference) key).get(); -- if (loadedByThisOrChild(clazz)) { -- keys.remove(); -+ Object map = f.get(null); -+ // Avoid trying to clear references if Tomcat is running on a JRE that -+ // includes the fix for this memory leak -+ // See https://bugs.openjdk.java.net/browse/JDK-8277072 -+ if (map instanceof Map) { -+ Iterator keys = ((Map) map).keySet().iterator(); -+ while (keys.hasNext()) { -+ Object key = keys.next(); -+ if (key instanceof Reference) { -+ Object clazz = ((Reference) key).get(); -+ if (loadedByThisOrChild(clazz)) { -+ keys.remove(); -+ } - } - } - } -diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java b/java/org/apache/tomcat/util/compat/JreCompat.java -index 62df145..e5df728 100644 ---- a/java/org/apache/tomcat/util/compat/JreCompat.java -+++ b/java/org/apache/tomcat/util/compat/JreCompat.java -@@ -19,6 +19,7 @@ package org.apache.tomcat.util.compat; - import java.io.File; - import java.io.IOException; - import java.lang.reflect.AccessibleObject; -+import java.lang.reflect.Field; - import java.lang.reflect.InvocationTargetException; - import java.lang.reflect.Method; - import java.net.SocketAddress; -@@ -45,6 +46,7 @@ public class JreCompat { - - private static final JreCompat instance; - private static final boolean graalAvailable; -+ private static final boolean jre19Available; - private static final boolean jre16Available; - private static final boolean jre11Available; - private static final boolean jre9Available; -@@ -67,18 +69,26 @@ public class JreCompat { - - // This is Tomcat 9 with a minimum Java version of Java 8. - // Look for the highest supported JVM first -- if (Jre16Compat.isSupported()) { -+ if (Jre19Compat.isSupported()) { -+ instance = new Jre19Compat(); -+ jre9Available = true; -+ jre16Available = true; -+ jre19Available = true; -+ } else if (Jre16Compat.isSupported()) { - instance = new Jre16Compat(); - jre9Available = true; - jre16Available = true; -+ jre19Available = false; - } else if (Jre9Compat.isSupported()) { - instance = new Jre9Compat(); - jre9Available = true; - jre16Available = false; -+ jre19Available = false; - } else { - instance = new JreCompat(); - jre9Available = false; - jre16Available = false; -+ jre19Available = false; - } - jre11Available = instance.jarFileRuntimeMajorVersion() >= 11; - -@@ -124,6 +134,9 @@ public class JreCompat { - return jre16Available; - } - -+ public static boolean isJre19Available() { -+ return jre19Available; -+ } - - // Java 8 implementation of Java 9 methods - -@@ -303,6 +316,8 @@ public class JreCompat { - } - - -+ // Java 8 implementations of Java 16 methods -+ - /** - * Return Unix domain socket address for given path. - * @param path The path -@@ -329,4 +344,63 @@ public class JreCompat { - public SocketChannel openUnixDomainSocketChannel() { - throw new UnsupportedOperationException(sm.getString("jreCompat.noUnixDomainSocket")); - } -+ -+ -+ // Java 8 implementations of Java 19 methods -+ -+ /** -+ * Obtains the executor, if any, used to create the provided thread. -+ * -+ * @param thread The thread to examine -+ * -+ * @return The executor, if any, that created the provided thread -+ * -+ * @throws NoSuchFieldException -+ * If a field used via reflection to obtain the executor cannot -+ * be found -+ * @throws SecurityException -+ * If a security exception occurs while trying to identify the -+ * executor -+ * @throws IllegalArgumentException -+ * If the instance object does not match the class of the field -+ * when obtaining a field value via reflection -+ * @throws IllegalAccessException -+ * If a field is not accessible due to access restrictions -+ */ -+ public Object getExecutor(Thread thread) -+ throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException { -+ -+ Object result = null; -+ -+ // Runnable wrapped by Thread -+ // "target" in Sun/Oracle JDK -+ // "runnable" in IBM JDK -+ // "action" in Apache Harmony -+ Object target = null; -+ for (String fieldName : new String[] { "target", "runnable", "action" }) { -+ try { -+ Field targetField = thread.getClass().getDeclaredField(fieldName); -+ targetField.setAccessible(true); -+ target = targetField.get(thread); -+ break; -+ } catch (NoSuchFieldException nfe) { -+ continue; -+ } -+ } -+ -+ // "java.util.concurrent" code is in public domain, -+ // so all implementations are similar including our -+ // internal fork. -+ if (target != null && target.getClass().getCanonicalName() != null && -+ (target.getClass().getCanonicalName().equals( -+ "org.apache.tomcat.util.threads.ThreadPoolExecutor.Worker") || -+ target.getClass().getCanonicalName().equals( -+ "java.util.concurrent.ThreadPoolExecutor.Worker"))) { -+ Field executorField = target.getClass().getDeclaredField("this$0"); -+ executorField.setAccessible(true); -+ result = executorField.get(target); -+ } -+ -+ return result; -+ } - } -diff --git a/java/org/apache/tomcat/util/compat/LocalStrings.properties b/java/org/apache/tomcat/util/compat/LocalStrings.properties -index 79427da..c4c2f7d 100644 ---- a/java/org/apache/tomcat/util/compat/LocalStrings.properties -+++ b/java/org/apache/tomcat/util/compat/LocalStrings.properties -@@ -16,6 +16,8 @@ - jre16Compat.javaPre16=Class not found so assuming code is running on a pre-Java 16 JVM - jre16Compat.unexpected=Failed to create references to Java 16 classes and methods - -+jre19Compat.javaPre19=Class not found so assuming code is running on a pre-Java 19 JVM -+ - jre9Compat.invalidModuleUri=The module URI provided [{0}] could not be converted to a URL for the JarScanner to process - jre9Compat.javaPre9=Class not found so assuming code is running on a pre-Java 9 JVM - jre9Compat.unexpected=Failed to create references to Java 9 classes and methods -diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml -index d118196..42dfe38 100644 ---- a/webapps/docs/config/context.xml -+++ b/webapps/docs/config/context.xml -@@ -769,7 +769,11 @@ - therefore requires that the command line option - -XaddExports:java.base/java.io=ALL-UNNAMED is set - when running on Java 9 and above. If not specified, the default value of -- true will be used.

-+ true will be used.

-+

The memory leak associated with ObjectStreamClass has -+ been fixed in Java 19 onwards, Java 17.0.4 onwards and Java 11.0.16 -+ onwards. The check will be disabled when running on a version -+ of Java that contains the fix.

- - - -diff --git a/java/org/apache/tomcat/util/compat/Jre19Compat.java b/java/org/apache/tomcat/util/compat/Jre19Compat.java -new file mode 100644 -index 0000000000..fb94810b40 ---- /dev/null -+++ b/java/org/apache/tomcat/util/compat/Jre19Compat.java -@@ -0,0 +1,84 @@ -+/* -+ * Licensed to the Apache Software Foundation (ASF) under one or more -+ * contributor license agreements. See the NOTICE file distributed with -+ * this work for additional information regarding copyright ownership. -+ * The ASF licenses this file to You under the Apache License, Version 2.0 -+ * (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+package org.apache.tomcat.util.compat; -+ -+import java.lang.reflect.Field; -+ -+import org.apache.juli.logging.Log; -+import org.apache.juli.logging.LogFactory; -+import org.apache.tomcat.util.res.StringManager; -+ -+public class Jre19Compat extends Jre16Compat { -+ -+ private static final Log log = LogFactory.getLog(Jre19Compat.class); -+ private static final StringManager sm = StringManager.getManager(Jre19Compat.class); -+ -+ private static final boolean supported; -+ -+ static { -+ // Don't need any Java 19 specific classes (yet) so just test for one of -+ // the new ones for now. -+ Class c1 = null; -+ try { -+ c1 = Class.forName("java.lang.WrongThreadException"); -+ } catch (ClassNotFoundException cnfe) { -+ // Must be pre-Java 16 -+ log.debug(sm.getString("jre19Compat.javaPre19"), cnfe); -+ } -+ -+ supported = (c1 != null); -+ } -+ -+ static boolean isSupported() { -+ return supported; -+ } -+ -+ @Override -+ public Object getExecutor(Thread thread) -+ throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException { -+ -+ Object result = super.getExecutor(thread); -+ -+ if (result == null) { -+ Object holder = null; -+ Object task = null; -+ try { -+ Field holderField = thread.getClass().getDeclaredField("holder"); -+ holderField.setAccessible(true); -+ holder = holderField.get(thread); -+ -+ Field taskField = holder.getClass().getDeclaredField("task"); -+ taskField.setAccessible(true); -+ task = taskField.get(holder); -+ } catch (NoSuchFieldException nfe) { -+ return null; -+ } -+ -+ if (task!= null && task.getClass().getCanonicalName() != null && -+ (task.getClass().getCanonicalName().equals( -+ "org.apache.tomcat.util.threads.ThreadPoolExecutor.Worker") || -+ task.getClass().getCanonicalName().equals( -+ "java.util.concurrent.ThreadPoolExecutor.Worker"))) { -+ Field executorField = task.getClass().getDeclaredField("this$0"); -+ executorField.setAccessible(true); -+ result = executorField.get(task); -+ } -+ } -+ -+ return result; -+ } -+} diff --git a/tomcat.spec b/tomcat.spec index 7eb74e0..5e63519 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -32,7 +32,7 @@ %global major_version 9 %global minor_version 0 %global micro_version 62 -%global packdname apache-tomcat-%{version}-src +%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00013 %global servletspec 4.0 %global elspec 3.0 %global tcuid 53 @@ -56,12 +56,12 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 9%{?dist} +Release: 10%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 URL: http://tomcat.apache.org/ -Source0: http://www.apache.org/dist/tomcat/tomcat-%{major_version}/v%{version}/src/%{packdname}.tar.gz +Source0: %{packdname}.tar.gz Source1: %{name}-%{major_version}.%{minor_version}.conf Source3: %{name}-%{major_version}.%{minor_version}.sysconfig Source4: %{name}-%{major_version}.%{minor_version}.wrapper @@ -80,11 +80,9 @@ Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat Patch2: %{name}-build.patch Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch Patch4: rhbz-1857043.patch -Patch5: %{name}-%{major_version}.%{minor_version}-JDTCompiler.patch # remove bnd dependency which version is too low on rhel8 Patch6: remove-bnd-annotation.patch -# The fixes for memory leak which have been fixed in 9.0.64, remove this patch in the next tomcat update -Patch7: %{name}-%{major_version}.%{minor_version}-memory-leak.patch +Patch7: JmxRemoteLifecycleListener.patch Patch8: fix-malformed-dtd.patch BuildArch: noarch @@ -230,7 +228,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch -P2 -p0 %patch -P3 -p0 %patch -P4 -p0 -%patch -P5 -p0 %patch -P6 -p1 %patch -P7 -p1 %patch -P8 -p1 @@ -271,7 +268,7 @@ touch HACK deploy # remove some jars that we'll replace with symlinks later -%{__rm} output/build/bin/commons-daemon.jar output/build/lib/ecj.jar +%{__rm} output/build/lib/ecj.jar # Remove the example webapps per Apache Tomcat Security Considerations # see https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html %{__rm} -rf output/build/webapps/examples @@ -599,6 +596,10 @@ fi %changelog +* Fri Aug 18 2023 Hui Wang - 1:9.0.62-10 +- Resolves: #2210630 CVE-2023-28709 tomcat +- Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure + * Thu Aug 17 2023 Hui Wang - 1:9.0.62-9 - Resolves: #2184135 Add Obsoletes to tomcat package