Apache Tomcat and JBoss Web security flaws

Apache Tomcat and JBoss Web are two closely-related components that have a large amount of code in common. This article explains the difference between these components and examines how security flaws affect them.

Apache Tomcat and JBoss Web

Apache Tomcat is a popular open source implementation of the Java Servlet and JavaServer Pages specifications. It is commonly used as a container to host Java-based web applications. Tomcat is distributed as part of both Red Hat Enterprise Linux and Red Hat JBoss Web Server. For more complex applications requiring Java Enterprise Edition (EE) features, Red Hat ships several JBoss Enterprise Middleware products based on JBoss Application Server, such as Red Hat JBoss Enterprise Application Platform.
Java EE applications often have web interfaces built using the Java Servlet and JavaServer Pages specifications. To support this, JBoss Enterprise Middleware products include the JBoss Web component, which acts as a servlet container. JBoss Web is based on Apache Tomcat, and a large proportion of the code is common between JBoss Web and Apache Tomcat. Therefore security flaws that affect Apache Tomcat often affect JBoss Web, and vice-versa.

Security flaw handling

Apache Tomcat is a top-level project of the Apache Foundation. Tomcat maintains its own comprehensive list of security vulnerabilities that affect the project, noting the versions each flaw affected and the versions in which each flaw was resolved. Typically, security flaws that affect Tomcat are reported to the Apache Tomcat team, who resolve them in a new version. Red Hat then backports the patch to the specific versions of Tomcat included in our products, and ships these product-specific patches. At the time of writing, Red Hat supports multiple versions of Tomcat 5, 6 and 7 across the Red Hat Enterprise Linux and Red Hat JBoss Web Server products.
Tomcat 5.5 has reached the end of its supported upstream life-cycle, and the Apache Tomcat project no longer tests security flaws to determine whether they affect Tomcat 5.5. Red Hat tests all Tomcat security flaws against Tomcat 5.5, as shipped with Red Hat Enterprise Linux 5 and Red Hat JBoss Web Server 1.

JBoss Web is a JBoss community project, primarily maintained by Red Hat employees. Whenever the Tomcat project announces a security flaw, the Red Hat Security Response Team tests whether this flaw also affects JBoss Web, and if so ships patches for the affected products. Security flaws that only affect JBoss Web and not Tomcat are typically reported directly to the Red Hat Security Response Team at secalert@redhat.com.

Examples

CVE-2012-3546: Affected both Tomcat and JBoss Web

CVE-2012-3546 was originally reported to the Apache Tomcat project, and was resolved in Tomcat 6.0.36 and 7.0.30. The Red Hat Security Response Team found that it also affected JBoss Web and Tomcat 5.5. The affected versions as well as links to patches for all affected Red Hat products are available in the Red Hat CVE Database.

CVE-2011-3375: Only affected Tomcat

CVE-2011-3375 was originally reported to the Apache Tomcat project, and was resolved in Tomcat 6.0.35 and 7.0.22. The Red Hat Security Response Team found that it does not affect JBoss Web or the version of Tomcat 6 shipped with Red Hat Enterprise Linux 6. The affected versions as well as links to patches for all affected Red Hat products are available in the Red Hat CVE Database.

CVE-2011-4610: Only affectED JBoss Web

CVE-2011-4610 was originally reported to the Red Hat Security Response Team, who found that it does not affect Tomcat.

Conclusion

Public discussion of Apache Tomcat flaws often fails to mention derivative works such as JBoss Web, which may also be affected by those flaws. Red Hat Bugzilla and the Red Hat CVE Database can always be used to determine which Red Hat products are affected, including products that use JBoss Web.

Apache Tomcat is a popular open source implementation of the Java Servlet and JavaServer Pages specifications. It is commonly used as a container to host Java-based web applications.