From: Markus Koschany Date: Sun, 27 Mar 2016 20:42:05 +0200 Subject: CVE-2016-0714 The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. Origin: https://svn.apache.org/viewvc?view=revision&revision=1726923 Origin: https://svn.apache.org/viewvc?view=revision&revision=1727034 --- .../catalina/ha/session/ClusterManagerBase.java | 2 + .../catalina/ha/session/mbeans-descriptors.xml | 16 +++ .../catalina/session/LocalStrings.properties | 2 + java/org/apache/catalina/session/ManagerBase.java | 156 ++++++++++++++++++++- .../apache/catalina/session/StandardManager.java | 7 +- .../apache/catalina/session/mbeans-descriptors.xml | 12 ++ .../catalina/util/CustomObjectInputStream.java | 69 ++++++++- .../apache/catalina/util/LocalStrings.properties | 2 + webapps/docs/changelog.xml | 8 ++ webapps/docs/config/cluster-manager.xml | 53 +++++++ 10 files changed, 320 insertions(+), 7 deletions(-) diff --git a/java/org/apache/catalina/ha/session/ClusterManagerBase.java b/java/org/apache/catalina/ha/session/ClusterManagerBase.java index 39437b3..65fc965 100644 --- a/java/org/apache/catalina/ha/session/ClusterManagerBase.java +++ b/java/org/apache/catalina/ha/session/ClusterManagerBase.java @@ -199,6 +199,8 @@ public abstract class ClusterManagerBase extends ManagerBase copy.setProcessExpiresFrequency(getProcessExpiresFrequency()); copy.setNotifyListenersOnReplication(isNotifyListenersOnReplication()); copy.setSessionAttributeFilter(getSessionAttributeFilter()); + copy.setSessionAttributeValueClassNameFilter(getSessionAttributeValueClassNameFilter()); + copy.setWarnOnSessionAttributeFilterFailure(getWarnOnSessionAttributeFilterFailure()); copy.setSecureRandomClass(getSecureRandomClass()); copy.setSecureRandomProvider(getSecureRandomProvider()); copy.setSecureRandomAlgorithm(getSecureRandomAlgorithm()); diff --git a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml index bfdbe0d..adea9a7 100644 --- a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml +++ b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml @@ -562,6 +562,22 @@ name="secureRandomProvider" description="The secure random number generator provider name" type="java.lang.String"/> + + + + + * This implementation excludes session attributes from distribution if the: + *
    + *
  • attribute name matches {@link #getSessionAttributeNameFilter()}
    • + *
+ */ + public boolean willAttributeDistribute(String name, Object value) { + Pattern sessionAttributeNamePattern = getSessionAttributeNamePattern(); + if (sessionAttributeNamePattern != null) { + if (!sessionAttributeNamePattern.matcher(name).matches()) { + if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) { + String msg = sm.getString("managerBase.sessionAttributeNameFilter", + name, sessionAttributeNamePattern); + if (getWarnOnSessionAttributeFilterFailure()) { + log.warn(msg); + } else { + log.debug(msg); + } + } + return false; + } + } + + Pattern sessionAttributeValueClassNamePattern = getSessionAttributeValueClassNamePattern(); + if (value != null && sessionAttributeValueClassNamePattern != null) { + if (!sessionAttributeValueClassNamePattern.matcher( + value.getClass().getName()).matches()) { + if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) { + String msg = sm.getString("managerBase.sessionAttributeValueClassNameFilter", + name, value.getClass().getName(), sessionAttributeNamePattern); + if (getWarnOnSessionAttributeFilterFailure()) { + log.warn(msg); + } else { + log.debug(msg); + } + } + return false; + } + } + + return true; + } + // ------------------------------------------------------ Protected Methods diff --git a/java/org/apache/catalina/session/StandardManager.java b/java/org/apache/catalina/session/StandardManager.java index 0174094..e69b9ba 100644 --- a/java/org/apache/catalina/session/StandardManager.java +++ b/java/org/apache/catalina/session/StandardManager.java @@ -231,17 +231,20 @@ public class StandardManager extends ManagerBase { ObjectInputStream ois = null; Loader loader = null; ClassLoader classLoader = null; + Log logger = null; try { fis = new FileInputStream(file.getAbsolutePath()); bis = new BufferedInputStream(fis); if (container != null) - loader = container.getLoader(); + logger = container.getLogger(); if (loader != null) classLoader = loader.getClassLoader(); if (classLoader != null) { if (log.isDebugEnabled()) log.debug("Creating custom object input stream for class loader "); - ois = new CustomObjectInputStream(bis, classLoader); + ois = new CustomObjectInputStream(bis, classLoader, logger, + getSessionAttributeValueClassNamePattern(), + getWarnOnSessionAttributeFilterFailure()); } else { if (log.isDebugEnabled()) log.debug("Creating standard object input stream"); diff --git a/java/org/apache/catalina/session/mbeans-descriptors.xml b/java/org/apache/catalina/session/mbeans-descriptors.xml index 16a90a0..0c65645 100644 --- a/java/org/apache/catalina/session/mbeans-descriptors.xml +++ b/java/org/apache/catalina/session/mbeans-descriptors.xml @@ -321,6 +321,18 @@ type="int" writeable="false"/> + + + + + + ObjectInputStream that loads from the @@ -35,14 +44,26 @@ public final class CustomObjectInputStream extends ObjectInputStream { + private static final StringManager sm = StringManager.getManager("org.apache.catalina.util"); + + private static final WeakHashMap> reportedClassCache = + new WeakHashMap>(); + /** * The class loader we will use to resolve classes. */ private ClassLoader classLoader = null; + private final Set reportedClasses; + private final Log log; + + private final Pattern allowedClassNamePattern; + private final String allowedClassNameFilter; + private final boolean warnOnFailure; /** - * Construct a new instance of CustomObjectInputStream + * Construct a new instance of CustomObjectInputStream without any filtering + * of deserialized classes. * * @param stream The input stream we will read from * @param classLoader The class loader used to instantiate objects @@ -53,8 +74,36 @@ public final class CustomObjectInputStream ClassLoader classLoader) throws IOException { + this(stream, classLoader, null, null, false); + } + + public CustomObjectInputStream(InputStream stream, ClassLoader classLoader, + Log log, Pattern allowedClassNamePattern, boolean warnOnFailure) + throws IOException { super(stream); + if (log == null && allowedClassNamePattern != null && warnOnFailure) { + throw new IllegalArgumentException( + sm.getString("customObjectInputStream.logRequired")); + } this.classLoader = classLoader; + this.log = log; + this.allowedClassNamePattern = allowedClassNamePattern; + if (allowedClassNamePattern == null) { + this.allowedClassNameFilter = null; + } else { + this.allowedClassNameFilter = allowedClassNamePattern.toString(); + } + this.warnOnFailure = warnOnFailure; + + Set reportedClasses; + synchronized (reportedClassCache) { + reportedClasses = reportedClassCache.get(classLoader); + if (reportedClasses == null) { + reportedClasses = Collections.newSetFromMap(new ConcurrentHashMap()); + reportedClassCache.put(classLoader, reportedClasses); + } + } + this.reportedClasses = reportedClasses; } @@ -70,8 +119,24 @@ public final class CustomObjectInputStream @Override public Class resolveClass(ObjectStreamClass classDesc) throws ClassNotFoundException, IOException { + + String name = classDesc.getName(); + if (allowedClassNamePattern != null) { + boolean allowed = allowedClassNamePattern.matcher(name).matches(); + if (!allowed) { + boolean doLog = warnOnFailure && reportedClasses.add(name); + String msg = sm.getString("customObjectInputStream.nomatch", name, allowedClassNameFilter); + if (doLog) { + log.warn(msg); + } else if (log.isDebugEnabled()) { + log.debug(msg); + } + throw new InvalidClassException(msg); + } + } + try { - return Class.forName(classDesc.getName(), false, classLoader); + return Class.forName(name, false, classLoader); } catch (ClassNotFoundException e) { try { // Try also the superclass because of primitive types diff --git a/java/org/apache/catalina/util/LocalStrings.properties b/java/org/apache/catalina/util/LocalStrings.properties index 012a9dd..ac37457 100644 --- a/java/org/apache/catalina/util/LocalStrings.properties +++ b/java/org/apache/catalina/util/LocalStrings.properties @@ -17,6 +17,8 @@ parameterMap.locked=No modifications are allowed to a locked ParameterMap resourceSet.locked=No modifications are allowed to a locked ResourceSet hexUtil.bad=Bad hexadecimal digit hexUtil.odd=Odd number of hexadecimal digits +customObjectInputStream.logRequired=A valid logger is required for class name filtering with logging +customObjectInputStream.nomatch=The class [{0}] did not match the regular expression [{1}] for classes allowed to be deserialized #Default Messages Utilized by the ExtensionValidator extensionValidator.web-application-manifest=Web Application Manifest extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]: Required extension [{2}] not found. diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 63b5662..def6a13 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -254,6 +254,14 @@ mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. (markt) + + Extend the session attribute filtering options to include filtering + based on the implementation class of the value and optional + WARN level logging if an attribute is filtered. These + options are avaialble for all of the Manager implementations that ship + with Tomcat. When a SecurityManager is used filtering will + be enabled by default. (markt) + diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/cluster-manager.xml index 3f1cafc..6051985 100644 --- a/webapps/docs/config/cluster-manager.xml +++ b/webapps/docs/config/cluster-manager.xml @@ -165,6 +165,28 @@ Set to true if you wish to have container listeners notified across Tomcat nodes in the cluster. + +

A regular expression used to filter which session attributes will be + replicated. An attribute will only be replicated if its name matches + this pattern. If the pattern is zero length or null, all + attributes are eligible for replication. The pattern is anchored so the + session attribute name must fully match the pattern. As an example, the + value (userName|sessionHistory) will only replicate the + two session attributes named userName and + sessionHistory. If not specified, the default value of + null will be used unless a SecurityManager is + enabled in which case the default will be + java\\.lang\\.(?:Boolean|Integer|Long|Number|String).

+ + +

A regular expression used to filter which session attributes will be + replicated. An attribute will only be replicated if the implementation + class name of the value matches this pattern. If the pattern is zero + length or null, all attributes are eligible for + replication. The pattern is anchored so the fully qualified class name + must fully match the pattern. If not specified, the default value of + null will be used.

+ The time in seconds to wait for a session state transfer to complete from another node when a node is starting up. @@ -197,6 +219,37 @@ If set to false, all queued session messages are handled. Default is true. + +

A regular expression used to filter which session attributes will be + replicated. An attribute will only be replicated if its name matches + this pattern. If the pattern is zero length or null, all + attributes are eligible for replication. The pattern is anchored so the + session attribute name must fully match the pattern. As an example, the + value (userName|sessionHistory) will only replicate the + two session attributes named userName and + sessionHistory. If not specified, the default value of + null will be used.

+ + +

A regular expression used to filter which session attributes will be + replicated. An attribute will only be replicated if the implementation + class name of the value matches this pattern. If the pattern is zero + length or null, all attributes are eligible for + replication. The pattern is anchored so the fully qualified class name + must fully match the pattern. If not specified, the default value of + null will be used unless a SecurityManager is + enabled in which case the default will be + java\\.lang\\.(?:Boolean|Integer|Long|Number|String).

+ + +

If sessionAttributeNameFilter or + sessionAttributeValueClassNameFilter blocks an + attribute, should this be logged at WARN level? If + WARN level logging is disabled then it will be logged at + DEBUG. The default value of this attribute is + false unless a SecurityManager is enabled in + which case the default will be true.

+