Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Posts: 1
Registered: ‎08-30-2013
My Device: N/A
My Carrier: N/A

Apache Tomcat vulnerabilities (newer than the ones reported in KB25966)

Hello all,


Vulnerability scan engines are flagging both BES 5.x and BES 10.x with several CVE vulnerabilities related to the Apache Tomcat engine.


Below there is a list of the flagged vulnerabilities.


The article KB25966 is from 04/12/2011 and back then the solution was to upgrade to BES 5.0.2 MR 5.


The BES servers are running the latest versions now:


BES 5.x - 5.0.4 MR 5 (bundle 116)

BES 10.x - 10.1.1 (bundle 37)


The reported versions of the Apache Tomcat are (using the method described in KB21780):


BES 5.x - INFO: Starting Servlet Engine: Apache Tomcat/6.0.36

BES 10.x - INFO: Starting Servlet Engine: Apache Tomcat/6.0.32


According to the CVE vulnerabilities dB web site, the flagged vulnerabilities really affect these versions of the Apache Tomcat engine.


A few years ago another BES administrator shared the email copied below with me, supposedly coming from some BES/RIM MDS developers.


The answer is valid to me; however my security team rejected it (back then) because it did not "look" official to them.


Would it be possible for BlackBerry to publish an "official" statement explaining the information below (about MDS not being vulnerable due to the heavy customization of the Apache Tomcat engine)?


They have done so for Java RTE in article KB34134 and something similar is urgently needed for the Apache Tomcat engine as well.


Or they could also address the vulnerabilities in a prompter fashion.


Or if they publish a way to "manually" update the Apache Tomcat engine version to the latest one, correcting the vulnerabilities, so anyone can update the version as needed (perhaps not possible due to the heavy customization of the Apache Tomcat engine in the BES products).


Something is needed; this cannot go on like this.


I have no means to contact anyone on the BlackBerry Security Support Team, my hope is that someone can see this message and at least comment on it, or preferably if anyone can point it to the BlackBerry Security Support Team and they can somehow address this situation.


Thank you all for your help.





Text of email received back in 2010 (I do not have the headers of the message, just the text):



Upon performing a technical security audit of the BlackBerry® Enterprise Server, some organizations may identify that the Apache WebServer in use has been flagged as containing four issues.


However, Research In Motion's (RIM's) bundling of the Apache WebServer with the BlackBerry® Enterprise Solution uses a build of Apache Tomcat that has been heavily customized and repackaged from its original form. This customized version of the Apache WebServer does not expose the identified issues.


The following security notices may be flagged following the audit:



The Host Manager Web application does not escape user-provided data before including it in the output. This issue may be mitigated by logging out or closing the browser of the application. Apache Tomcat versions 6.0.0 through 6.0.16 and 5.5.9 through 5.5.26 are affected.


CVE-2008-1232 and CVE-2008-2370

Two vulnerabilities exist in Apache Tomcat versions 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16. This first issue allows remote attackers to inject arbitrary Web script or HTML due to an incorrect handling of HttpServletResponse.sendError method. The second issue can be exploited when a RequestDispatcher is used to perform path normalization before removing the query string from the URI.



A remote directory traversal vulnerability exists in Apache Tomcat versions 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16. This vulnerability is caused by an input validation error when a context is configured with allowLinking="true" and the connector is configured with URIEncoding set to UTF-8.



Apache Tomcat is prone to a remote information disclosure vulnerability. When using a RequestDispatcher, the target path was normalized before the query string was removed. A request that includes a specially-crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.



When using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.



When the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.



Security notice responses



The BlackBerry MDS development team has provided the following responses to each of the following related security notices:


CVE-2008-1232 and CVE-2008-2370

We do not allow any non BlackBerry MDS Connection Service JavaServer Pages (JSP) or Servlets to be deployed in Apache Tomcat because the Apache Tomcat war file is signed to ensure its integrity.



We do not distribute the Apache Tomcat Host Manager web application with BlackBerry MDS. A customer would not be able to add the Apache Tomcat Host Manager web application because the BlackBerry MDS war file is signed.



We do not set the AllowLinking attribute, so it defaults to false.



Would only allow the contents of the WEB-INF folder to be viewed.  There should not be any sensitive data contained in this folder in a standard configuration.  Also note that this interface should only be accessible from within the organization’s network.



Affects a component of Tomcat that is not used in a standard deployment of the BES and the affected code is not reachable using the BES interfaces.




  BES 5.x flagged vulnerabilities  
1MediumApache Tomcat Denial of Service VulnerabilityCVE-2012-3544http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3544
2MediumApache Tomcat Session Fixation VulnerabilityCVE-2013-2067http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2067
3MediumApache Tomcat Slowloris HTTP Denial of ServiceCVE-2012-5568http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5568



  BES 10.x flagged vulnerabilities  
1HighApache Tomcat Denial of Service VulnerabilityCVE-2012-3544http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3544
2HighApache Tomcat AJP Authentication Bypass Information DisclosureCVE-2011-3190http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3190
3HighApache Tomcat HTTP DIGEST Authentication Multiple Security WeaknessesCVE-2011-1184http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1184
4HighApache Tomcat Parameter Handling Denial of ServiceCVE-2012-0022http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0022
5HighApache Tomcat Security Bypass and Denial of Service VulnerabilitiesCVE-2012-2733http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2733
6MediumApache Tomcat "sendfile" Security Bypass And Denial Of ServiceCVE-2011-2526http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2526
7MediumApache Tomcat CSRF Prevention Filter Security Bypass VulnerabilityCVE-2012-4431http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4431
8MediumApache Tomcat FormAuthenticator Component Security Bypass VulnerabilityCVE-2012-3546http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3546
9MediumApache Tomcat Request Object Recycle Security Bypass VulnerabilityCVE-2011-3375http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3375
10MediumApache Tomcat Session Fixation VulnerabilityCVE-2013-2067http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2067
11MediumApache Tomcat Slowloris HTTP Denial of ServiceCVE-2012-5568http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5568
12MediumApache Tomcat Web Form Hash Collision Denial of Service VulnerabilityCVE-2011-4858http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4858
13MediumHTTP Server Prone To Slow Denial Of Service Attack??
14LowApache Tomcat Commons Daemon Jsvc Information Disclosure VulnerabilityCVE-2011-2729http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2729
15LowApache Tomcat NIO Connector Sendfile HTTPS Denial of ServiceCVE-2012-4534http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4534
16LowApache Tomcat MemoryUserDatabase Password Disclosure WeaknessCVE-2011-2204http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2204