Apache Tomcat 不完整修复拒绝服务漏洞(CVE-2013-4322)

发布日期:2013-12-26
更新日期:2014-02-26

受影响系统:
Apache Group Tomcat 7.x
Apache Group Tomcat 6.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 65767
CVE(CAN) ID: CVE-2013-4322

Apache Tomcat是一个流行的开源JSP应用服务器程序。

Tomcat 8.0.0-RC1-8.0.0-RC5、Tomcat 7.0.0-7.0.47、Tomcat 6.0.0-6.0.37在实现上存在拒绝服务漏洞,攻击者可利用此漏洞造成拒绝服务。该漏洞源于CVE-2012-3544的不完整修复。所有使用Oracle Java 7 (1.7, 1.7.0)的系统都受到影响。Oracle Java 7 Update 11之前版本存在多个漏洞,远程攻击者通过JmxMBeanServer类内的公开方法getMBeanInstantiator可获取私有对象MBeanInstantiator的引用,然后用findClass方法检索任意Class引用,从而利用此漏洞执行任意代码,或者用反射式API绕过java.lang.invoke.MethodHandles.Lookup.checkSecurityManager方法的安全检查,因sun.reflect.Reflection.getCallerClass方法无法跳过新反射式API相关的帧,即可利用此漏洞执行任意代码。

<*来源:Apache Tomcat security team
        Saran Neti
 
  链接:http://www.us-cert.gov/ncas/alerts/ta13-010a
        http://www.kb.cert.org/vuls/id/625617
*>

建议:
--------------------------------------------------------------------------------
厂商补丁:

Apache Group
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://jakarta.apache.org/tomcat/index.html

参考:

https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
http://seclists.org/bugtraq/2013/Jan/48
http://seclists.org/fulldisclosure/2013/Jan/77
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf
http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29
http://www.java.com/en/download/help/disable_browser.xml
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
https://bugzilla.redhat.com/show_bug.cgi?id=894172
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224
http://permalink.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/21381
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html
http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11
http://codeascraft.etsy.com/2013/03/18/java-not-even-once/

相关推荐