08-31-2013 01:07 AM
Vulnerability scan engines are flagging both BES 5.x and BES 10.x with several CVE vulnerabilities related to the Apache Tomcat engine.
Below there is a list of the flagged vulnerabilities.
The article KB25966 is from 04/12/2011 and back then the solution was to upgrade to BES 5.0.2 MR 5.
The BES servers are running the latest versions now:
BES 5.x - 5.0.4 MR 5 (bundle 116)
BES 10.x - 10.1.1 (bundle 37)
The reported versions of the Apache Tomcat are (using the method described in KB21780):
BES 5.x - INFO: Starting Servlet Engine: Apache Tomcat/6.0.36
BES 10.x - INFO: Starting Servlet Engine: Apache Tomcat/6.0.32
According to the CVE vulnerabilities dB web site, the flagged vulnerabilities really affect these versions of the Apache Tomcat engine.
A few years ago another BES administrator shared the email copied below with me, supposedly coming from some BES/RIM MDS developers.
The answer is valid to me; however my security team rejected it (back then) because it did not "look" official to them.
Would it be possible for BlackBerry to publish an "official" statement explaining the information below (about MDS not being vulnerable due to the heavy customization of the Apache Tomcat engine)?
They have done so for Java RTE in article KB34134 and something similar is urgently needed for the Apache Tomcat engine as well.
Or they could also address the vulnerabilities in a prompter fashion.
Or if they publish a way to "manually" update the Apache Tomcat engine version to the latest one, correcting the vulnerabilities, so anyone can update the version as needed (perhaps not possible due to the heavy customization of the Apache Tomcat engine in the BES products).
Something is needed; this cannot go on like this.
I have no means to contact anyone on the BlackBerry Security Support Team, my hope is that someone can see this message and at least comment on it, or preferably if anyone can point it to the BlackBerry Security Support Team and they can somehow address this situation.
Thank you all for your help.
Text of email received back in 2010 (I do not have the headers of the message, just the text):
Upon performing a technical security audit of the BlackBerry® Enterprise Server, some organizations may identify that the Apache WebServer in use has been flagged as containing four issues.
However, Research In Motion's (RIM's) bundling of the Apache WebServer with the BlackBerry® Enterprise Solution uses a build of Apache Tomcat that has been heavily customized and repackaged from its original form. This customized version of the Apache WebServer does not expose the identified issues.
The following security notices may be flagged following the audit:
The Host Manager Web application does not escape user-provided data before including it in the output. This issue may be mitigated by logging out or closing the browser of the application. Apache Tomcat versions 6.0.0 through 6.0.16 and 5.5.9 through 5.5.26 are affected.
CVE-2008-1232 and CVE-2008-2370
Two vulnerabilities exist in Apache Tomcat versions 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16. This first issue allows remote attackers to inject arbitrary Web script or HTML due to an incorrect handling of HttpServletResponse.sendError method. The second issue can be exploited when a RequestDispatcher is used to perform path normalization before removing the query string from the URI.
A remote directory traversal vulnerability exists in Apache Tomcat versions 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16. This vulnerability is caused by an input validation error when a context is configured with allowLinking="true" and the connector is configured with URIEncoding set to UTF-8.
Apache Tomcat is prone to a remote information disclosure vulnerability. When using a RequestDispatcher, the target path was normalized before the query string was removed. A request that includes a specially-crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.
When using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
When the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.
Security notice responses
The BlackBerry MDS development team has provided the following responses to each of the following related security notices:
CVE-2008-1232 and CVE-2008-2370
We do not allow any non BlackBerry MDS Connection Service JavaServer Pages (JSP) or Servlets to be deployed in Apache Tomcat because the Apache Tomcat war file is signed to ensure its integrity.
We do not distribute the Apache Tomcat Host Manager web application with BlackBerry MDS. A customer would not be able to add the Apache Tomcat Host Manager web application because the BlackBerry MDS war file is signed.
We do not set the AllowLinking attribute, so it defaults to false.
Would only allow the contents of the WEB-INF folder to be viewed. There should not be any sensitive data contained in this folder in a standard configuration. Also note that this interface should only be accessible from within the organization’s network.
Affects a component of Tomcat that is not used in a standard deployment of the BES and the affected code is not reachable using the BES interfaces.
|BES 5.x flagged vulnerabilities|
|1||Medium||Apache Tomcat Denial of Service Vulnerability||CVE-2012-3544||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|2||Medium||Apache Tomcat Session Fixation Vulnerability||CVE-2013-2067||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|3||Medium||Apache Tomcat Slowloris HTTP Denial of Service||CVE-2012-5568||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|BES 10.x flagged vulnerabilities|
|1||High||Apache Tomcat Denial of Service Vulnerability||CVE-2012-3544||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|2||High||Apache Tomcat AJP Authentication Bypass Information Disclosure||CVE-2011-3190||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|3||High||Apache Tomcat HTTP DIGEST Authentication Multiple Security Weaknesses||CVE-2011-1184||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|4||High||Apache Tomcat Parameter Handling Denial of Service||CVE-2012-0022||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|5||High||Apache Tomcat Security Bypass and Denial of Service Vulnerabilities||CVE-2012-2733||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|6||Medium||Apache Tomcat "sendfile" Security Bypass And Denial Of Service||CVE-2011-2526||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|7||Medium||Apache Tomcat CSRF Prevention Filter Security Bypass Vulnerability||CVE-2012-4431||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|8||Medium||Apache Tomcat FormAuthenticator Component Security Bypass Vulnerability||CVE-2012-3546||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|9||Medium||Apache Tomcat Request Object Recycle Security Bypass Vulnerability||CVE-2011-3375||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|10||Medium||Apache Tomcat Session Fixation Vulnerability||CVE-2013-2067||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|11||Medium||Apache Tomcat Slowloris HTTP Denial of Service||CVE-2012-5568||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|12||Medium||Apache Tomcat Web Form Hash Collision Denial of Service Vulnerability||CVE-2011-4858||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|13||Medium||HTTP Server Prone To Slow Denial Of Service Attack||?||?|
|14||Low||Apache Tomcat Commons Daemon Jsvc Information Disclosure Vulnerability||CVE-2011-2729||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|15||Low||Apache Tomcat NIO Connector Sendfile HTTPS Denial of Service||CVE-2012-4534||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|
|16||Low||Apache Tomcat MemoryUserDatabase Password Disclosure Weakness||CVE-2011-2204||http://web.nvd.nist.gov/view/vuln/detail?vulnId=CV|