[SECURITY] CVE-2017-5648 Apache Tomcat Information Disclosure
CVE-2017-5648 Apache Tomcat Information Disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M17 Apache Tomcat 8.5.0 to 8.5.11 Apache Tomcat 8.0.0.RC1 to 8.0.41 Apache Tomcat 7.0.0 to 7.0.75 Apache Tomcat 6.0.x is not affected Description While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M18 or later - Upgrade to Apache Tomcat 8.5.12 or later - Upgrade to Apache Tomcat 8.0.42 or later - Upgrade to Apache Tomcat 7.0.76 or later Credit: This issue was identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [4] http://tomcat.apache.org/security-7.html
[SECURITY] CVE-2017-5651 Apache Tomcat Information Disclosure
CVE-2017-5651 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.x and earlier are not affected Description: The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later Credit: This issue was reported publicly as Bug 60918 [1] and the security implications identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60918 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html
[SECURITY][UPDATE] CVE-2016-8745 Apache Tomcat Information Disclosure
CVE-2016-8745 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M13 Apache Tomcat 8.5.0 to 8.5.8 Apache Tomcat 8.0.0.RC1 to 8.0.39 (new) Apache Tomcat 7.0.0 to 7.0.73 (new) Apache Tomcat 6.0.16 to 6.0.48 (new) Description A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. Mitigation: Users of the NIO HTTP connector with the affected versions should apply one of the following mitigations - Switch to the BIO HTTP, NIO2 HTTP or APR HTTP connector - Disable send file - Upgrade to Apache Tomcat 9.0.0.M15 or later (Apache Tomcat 9.0.0.M14 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.9 or later - Upgrade to Apache Tomcat 8.0.40 or later when released - Upgrade to Apache Tomcat 7.0.74 or later when released - Upgrade to Apache Tomcat 6.0.49 or later when released Credit: This issue was reported publicly as Bug 60409 [1] and the security implications identified by the Tomcat security team. History: 2016-12-12 Original advisory 2017-01-04 Updated information on affected versions References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60409 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
[SECURITY] CVE-2016-8745 Apache Tomcat Information Disclosure
CVE-2016-8745 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M13 Apache Tomcat 8.5.0 to 8.5.8 Earlier versions are not affected. Description The refactoring of the Connector code for 8.5.x onwards introduced a regression in the error handling of the send file code for the NIO HTTP connector. An error during send file processing resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. Mitigation Users of the NIO HTTP connector with the affected versions should apply one of the following mitigations - Switch to the NIO2 HTTP or APR HTTP connector - Disable send file - Upgrade to Apache Tomcat 9.0.0.M15 or later (Apache Tomcat 9.0.0.M14 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.9 or later Credit: This issue was reported publicly as Bug 60409 [1] and the security implications identified by the Tomcat security team. References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60409 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html
[SECURITY] CVE-2015-5174 Apache Tomcat Limited Directory Traversal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5174 Apache Tomcat Limited Directory Traversal Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.64 - - Apache Tomcat 8.0.0.RC1 to 8.0.26 - - Apache Tomcat 9 is not affected - - Earlier, unsupported Tomcat versions may be affected Description: When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form "/.." were not rejected. Note that paths starting with "/../" were correctly rejected. This bug allowed malicious web applications running under a security manager to obtain a directory listing for the directory in which the web application had been deployed. This should not be possible when running under a security manager. Typically, the directory listing that would be exposed would be for $CATALINA_BASE/webapps. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.27 or later - - Upgrade to Apache Tomcat 7.0.65 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+JAAoJEBDAHFovYFnnubgQAICDB8mbxG4KbSDT1YAcqjJd lToWRjRKVd0UzIaOZFUmqV0Ap7o181xMfQpSfGZSAAukF7+zTcX33O+cklTkZaw/ yjprJSI942enkWlGygiJxIH8DUadGa62iTMyhXmpqLqkD5ura5sSNEdzir7aEnUw P8vLdpmfbdUqNn9Qv1L27btm5+lU6OU+I8nBTB5ESyDxjhVrpc1d8GVcRaXh0mU4 56oeIAJg7O9ozXrIQa692K4pAV+VqZFb52Vwk3XiNENn0VjwM2W7PAqy+vtAfkLt wt5SDVjoXuCW1jBTjTU+hmxzDziN0WzgVMgFsSVZg0lyU/H837e/bOOmNVA1dfGD F6Ln40a1eYkZQ6eXK9SPmz36OnU/akM3+rcDEz9e9spvbe/c4oH5T3/yZwmsONSO 4G+9JyMCg/YKWl2+YIJSGGxO1khaLbXZvyvVwkpq0IzJZ/ZhTp7BQY+DYb4axVY3 QLBx6/XzoIRfLxf1lpvUakGw8P/0y2BPHRa+3b0WDJSElD4H6KAQd+q5vb1eyK6+ 0bNPLYd9AyxYwaIuZMk2WtT+pQO0R3Ao6mVBNFk8K/YJj7msMsS4feI76I2LYLT0 WCLKWb/noO8oPmjYk6a7AZKncT9nASN+rCfbXedw6F+COxfVjuddbttsGza2oH7o NKmM5mCdDfQztF3uOTnu =aYIY -END PGP SIGNATURE-
[SECURITY] CVE-2015-5351 Apache Tomcat CSRF token leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5351 Apache Tomcat CSRF token leak Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.1 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.31 - - Apache Tomcat 9.0.0.M1 Description: The index page of the Manager and Host Manager applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to construct a CSRF attack. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu97AAoJEBDAHFovYFnnkOkP/353AyMvuZvUHx7MJS6QmthF ba5gOE0JprULz0VN9q6ilf1ZXE7myZiVxt0tWT9MvuQi+iMQUtarESxv/bnA1RSF QsUoxgb4Wc6whrWIZUSXU9Vag5e7Ar/N3con0jzMLyopx0DBnOWNKQE/pp9Q6NPI RRvOAWnq9nm3P9/D2x9AOl/LDaEFuPHW/GkfwuosNTLCRsWYqa1DN20cFnq/S8Iz +jPpjkYsfIOoodLcX2t4B92alC3fRNPgG4Q8iuhwj3Umsw44D5/gdbmcEeEtqB4C wYIQsyXdIA4JBSx44w8ihP+Z+pNt+MkxgXvhfGWu30JDELXRaXU0ItveeePTjRJR u0jC09frTLKG7UnbVxitV7CgvMtEU6zGjaJsfEQcsES6q4s9qCzHCbp9alqQnW1i 5ZvabdyAkZVfdRsgurI6RAI1R/s2mWmXlIFjiKiYt3Qeyqkg5cFBNHctEw/DREiR 6GA6xmk06uKXUzv0SZUuvadWqkJ2JwVmd5Doe5IaoK4K069Ab5EJQSG1qQcXv6G2 LsYK4L9s+Zcp+m10unFX4v1CB8UnVPKw33intlvE7/6r0yBOaigtFHqV+ifuUdOO bkENBx8Gp/HAx0VCpwhYP2AKkoSSqSOktsv/iBokWfIrsUG304uGoa3rWsAIcGCx I/Yy6rJBLqfrQj4qFtc3 =bm3r -END PGP SIGNATURE-
[SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0763 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2 Description: ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9 AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723 Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7 XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+ D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/ Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK /L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA 90lXXPnmrbSsQR10jD/j =5LII -END PGP SIGNATURE-
[SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5345 Apache Tomcat Directory disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.66 - - Apache Tomcat 8.0.0.RC1 to 8.0.29 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was therefore possible for a user to determine if a directory existed or not, even if the user was not permitted to view the directory. The issue also occurred at the root of a web application in which case the presence of the web application was confirmed, even if a user did not have access. The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect could cause regressions to two new Context configuration options (mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. However, due to regressions such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled was later changed to true since it was viewed that the regression was more serious than the security risk of associated with being able to determine if a web application was deployed at a given path. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.30 or later - - Upgrade to Apache Tomcat 7.0.67 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by Mark Koek of QCSec. References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [4] http://tomcat.apache.org/security-7.html [5] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8 kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e HnSzWGDdd63z0ixY0g2I =6UrH -END PGP SIGNATURE-
[SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0714 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The Cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9PAAoJEBDAHFovYFnnllEQAMj38sm4FeeXJ2XOK/ODpj2J SLK0VMib2gjRmMfuH15OPyYBIHPaWVD4E3ONiLz/2F9oqVAYfvswQnLfNrJ9k8oF K+ETBoWfyODb8QddYQOd3JpDslrOLPscve6dgnkx/R8hZSPOvsmo8IIG4Bwh5VQM rkAct8EFGpVuQ9ou59F8xSx7fhRMHhNKt8XwsuBIj43MwFv5P8rHhNJDbgC8hSP7 w8yKwrQ7alfeuzwQPegf11YEcauPog4TnD3JAuufcuPQefvDHRAIoKNRCwyvFbRC rVHdsV5AehWaKKHj9Yu2IJB88s+0wXWlH01hG+wYl1jSVxs3CHhhP0FS55vwItWP Igl26iz33esPlzQaVyWf5jOUOYfF0tZel4bDFcQrIQASJKS2vxCuOBgUhr+bReMD I8W1A78EdGXm5IGqmPqHNXn+qAQKfs352eVFiS4vM+5n6wdVThxRzTIt/Op0iz8k rOIm05kkZQedh7utUy4iW59MKHr9xGRQRI1r4/sdKHDIRSlzsfzJVrATqqLPxukg QhG3LL0fO+kKLb526GZOlTaAcT7hM2wdYkLytiUItpMUR8ZfozqIS/nRUPmCfDgW 8QFRZEYIgETUYELbnj9chx0NJOkSH9OICV1U7EergsKsdpXN8uCDRy609ufSPn+W M6wXyzp1l4aE2hnn22gZ =OQbe -END PGP SIGNATURE-
[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0706 Apache Tomcat Security Manager bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: The StatusManagerServlet could be loaded by a web application when a security manager was configured. This servlet would then provide the web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications such as session IDs to the web application. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9qAAoJEBDAHFovYFnny/0P/0VtkiCt56FeS3I42BlvjAne w/oqurmk/XoF/gof+VYxYuNOXMIwvgyGMjj21kZf+n2DjINXLHp9VFZ/APeSJ8kL XcnTL1EBK1JBdxsieIhGAfLMeDO04wO3uuorJHwJIBbl4ymh7N4A2fgciKgCmNyB y22TPT5Hz7iFCU8Ij6xsYJERpveUrenenAqbgjdcpILydbBoTqmZtZtWmPOFki90 cZo/2D0Av4H4SKh1PuCkzjk2DFXfyXcq+tDaX8dizPinQMQsbAX63BoYy5LrfWrJ epgY9Q0QziOyp7b5Z72AjQ3RJR7yZS/iT3wb37jceI3Dq/mpkWFggqEGkSpFdGX7 AhoqVXjFw9eakjst0k5LZ29+dD8Fqz+2umXlRwelsxInLNgDk67Z2XehqkWWb85b 64PFh3ZYj/8CxxV6ErGq0bBhpCsNHZffEzOT/Ebldjn/afHajne3Yd9SZEbbZO3U ejCSG2UziJ4t4mygnGyWaRCgKtjCrejzDZYicOICJEDE8enaPbNs0Ka8lR8fh21y U3avzYIu7MosqvqoEAleMkjXySWSufqGF0ugbtsZx1lisl9Zax0LfXbq5sLmdNMS fXhxu/1RfHfPS7NUP9YYs5OdWxCxecD/kiaxc3ArVVPdgAMSwlEyI59gSD/y7XPd fitNMHbOMz6qG/uxVfH0 =6KO+ -END PGP SIGNATURE-
[SECURITY] CVE-2015-5346 Apache Tomcat Session fixation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5346 Apache Tomcat Session fixation Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.5 to 7.0.65 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 Description: When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.30 or later - - Upgrade to Apache Tomcat 7.0.67 or later (7.0.66 has the fix but was not released) Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+WAAoJEBDAHFovYFnnNasQANmHvs8L9RvbPSPvmR8sT9rc nfoC64cVqVFx6G99+iskQ4SKL00zZk10gCNKvwu6aBW8Dv7U+sqoo09vtIVJ9qvD 9qBIaZMfnqMxMaHtonUj8E1/9GryquYNj7pWMf0tut2/RIvQq8/1tAtTgrzjVXG2 qtpB/ECBHQ53tJuPxRDakgav17Ok90DbAO4rsSdmCUwUg8NEYieNb6RG4eRSvuav ffE2zaicXIHWLdnVEMpOWtum76+GMfS5B+zd03/OQmiJy+arVvGwyrn1ydKZI1JI 7gQT97SgLlI3iGtK3tc4S56tNQ9+K2oMp2B0qAceNG9MWimED9sC1aXoAARacoYI c+cZdnhiRxsYycEdTXbNqhat+se6vKeXqgrsrr3CbNmaNl6siRZD/d+9PbmXh+0z hHSC9tmG5ZAO3vS4wwHX+9qZlfdcQ2zAZnAnRZKtuRMgDphP+wszain4p+U82TV9 eshrfHzzN4R0kuBWXkl4Pf4KQd+ZCVmp8efXFcyXK2fV7FUmLRvwtZ43EPa77tRI egiZcN/WEqGHODKNr/AGQYuiuEU7gm3hqnJlgDLpPzKF2ptkLcEh9/HYcW9yI1Kf x+fKtcfr6jGjJRxFw5PRsHEO8ToE8w38mPmeLzQH3WRcoc+g5+BinbIe/fwMsVPM cAK/Ln4UhXIcIM1f7h5M =is2n -END PGP SIGNATURE-
[SECURITY] CVE-2014-7810: Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - Apache Tomcat 7.0.0 to 7.0.57 - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. This issue only affects installations that run web applications from untrusted sources. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.17 or later (8.0.16 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.59 or later (7.0.58 has the fix but was not released) - - Upgrade to Apache Tomcat 6.0.44 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVVKsbAAoJEBDAHFovYFnnTkYQAMos6+1kaJ+d+h0oGeiG7CDV PxcQ/AS0LdqXZuC92dXYNv+eQTB+pD0N9ePIyIMwsyEzeS2KGyOw5R8Klsro6lcq eYKH8Tv7egIzKO9dRCqhyWTytl73KPf0h6z4nnVHr/rTJ2/7pJX6x+7fjey5jcO+ G7kCQErj6bnNzgeMM/mLLVlM7YYrbA5hbQgplCdgRO5NpxaL+3raaJ19/gFZKjP3 Mqgwg/6uopkgxTFRh8Fprj6tdoPBXZ6Vxy3qJmcuOCt0yktaypqFPLTH+JM6pnme 6/Mdk4u6PhKyGPPlmvrub0priFl32tEyJNBkghHJd2QkYkZrM6t3wcOsgUawPJxZ hJrq+nJ7CJ3FUzcj9o05M4Q/TJ7seOurhPXF8YMIPn7ibrSb1Eq2Y0yZe/NGij/k dOZX5m3I62HeS1zjCIcIhKx9i6ZFTvfoe8/bF6/LPgAqfy2AB8+HBrRGVfqUh/QB w3AdDX7BxDWJKVgz9YknJG9keuR0tLV+MOI0M0LS9LHj9wAiunmq/+x03ZUX+coc btTrKnSuZq5sjmX5Xj7rilrSlq1GftGMnQyxOHiIzjCR9b59yS/BX/OkprrFXIAM Nd42B7vxWubKuOhXlyMlDt4QpnM3RsAFaD3irNc3LAQ3kpdtvsinExr3VaCvIcJ1 IETAzUe85oPF2HojrJDu =2DTj -END PGP SIGNATURE-
[SECURITY] CVE-2014-0230: Apache Tomcat DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-0230 Denial of Service Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.43 Description: When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Note that this issue was accidentally disclosed by Red Hat Product Security on 9 April 2015 [4]. The Tomcat security team was made aware of this disclosure today (5 May 2015). The information released on 9 April 2015 contained a number of errors. For the sake of clarity: - - This issue is not limited to file upload. Any request with a body may be affected. - - This issue cannot be used to trigger excessive memory usage on the server. The additional data read from the response body is not retained - it is simply ignored. The intention was to embargo this issue until after the 6.0.44 release. Unfortunately that is no longer possible. The Tomcat team is working on a 6.0.44 release now and we hope to have one available by early next week. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.9 or later - - Upgrade to Apache Tomcat 7.0.55 or later - - Upgrade to Apache Tomcat 6.0.44 or later once released Credit: This issue was discovered by AntBean@secdig from the Baidu Security Team and was reported responsibly to the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html [4] http://www.openwall.com/lists/oss-security/2015/04/10/1 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVSUnRAAoJEBDAHFovYFnnxFgP/38LAZosd36MzvWvBNQSeJmi QRIm432bbUwVevjVXKKO27oxrL+DUBkesCc0XslGVu0N3gTqzhce2DJXIetpnl04 wV2S88F29jAfRatz65WEbj17gdlP6IobTWzFIyQlfjRxmY97AQQOwRdd/j6P2LMR vD+thwLccbs9kxTn+MVyQu6W9a1R1Hy3fARdMlfZVchj32jCn3kD37IXF/JLPFso btBZBt/jEqIb8uq0ZiVUDx5ErvVH5O/AAfxCEh9pfZdl4vIG7SU1KB2iTnyzdat9 Hz0jXc8WFIu3BKY9t2VI/1wUJzGHy8Xzxt4IGjTzy0EQKTI96pXAi6XsQ9AiaHVP IAtgnEtpjk89qi8YWYoeyLsmpdeUSkCqOTYImn8/2gnrJAtS96SzvE1nBdxpI4O4 f7s2cU4PAnvf9rRvO1SBIb67VYdwB3coAMMtuOodXmjES2xK2xniGVXpIB0RjAyf /ds/syVsbVZ2LK+LGOsxGR3Rz1dBIanlJ5Tm3fudp9XlfkLhr7Lo04iSRXKDjeIo ERXDu0zblaMs8KOfP4vg+kAz4Ih86R+vG7xVwQ9Zjoae/t/lAWqwqQeOewC2+esL qeyZc4J+TO6rcANQ099Iu1iBUN2T3Vd5t7ZPIFDtLSrDVSjnLz6hkltBHBD1lVOl 7nKmBsFyuQyGSHHZ4dN9 =AfA+ -END PGP SIGNATURE-
[SECURITY] CVE-2014-0227 Apache Tomcat Request Smuggling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0227 Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.41 Description: It was possible to craft a malformed chunk as part of a chucked request that caused Tomcat to read part of the request body as a new request. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.9 or later - - Upgrade to Apache Tomcat 7.0.55 or later - - Upgrade to Apache Tomcat 6.0.43 or later (6.0.42 contains the fix but was not released) Credit: This issue was identified by the Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iQIcBAEBAgAGBQJU2HoOAAoJEBDAHFovYFnn/3wP/A3qNw/M6hrPYGtZJGtHmb3b B7VMHvhW18nTVUIuS6pg/FIcLg//dRpzzosHGAygGZJRTqW6am3TF9IEGrtaqXED 3cLbIUcIlay8grokG5Ci4fduZ3pouVA8/xbWTW6ND0KORAAsCeeIVVs3+/IdyBrM hRMST00A/ryXEBCzUdVATjd7bpdOAnRW/lSUI5/Ap+zQN1SR6rBdF224UaWRiZrr 4t55ZnStDQ10OT5a8R/uSZAftnRD3wRzOCquYHA7PbzpjDDmwbz00BQWErmlmgs/ ElN9Dmdn+/dFaaU9AGOLEhsse3KajfjgdWVXRoB2BJW3/GFgPT9vcHswINEgAZtp HoNFavmlZr0bs+1YdSEx8qtitB6Wr4QiwWYzfwLMhZ3qx6g0NSTMY6g+JH7BVIOL 3xGf1B42LidgMqqpcyddLW3HFICRI6wX1IgK+rF8Obaga6UOCHgmCKTL4YBxe5XK +YqEgH3HE1jwTL04FGsVMSAUIx4Z5wkm0rXsf3emHsyDytFQOyrJqI8AdGVMyOwO ZEjqwFDCjW36I2YsoE4HffO/ZnTxJrZzOZOXXt7N7zfFfxXsJsSuBBM3il0VIPyB AdmOl1RoeGx5Gj2WGIgXjPLCcOHaNTobClasFMvuzgPmxIHPViT1fhM/M41cre8M v3iXCWFfOe15UtdBy57w =BK1a -END PGP SIGNATURE-
[SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013- Remote Code Execution Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.39 Description: In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important. For this attack to succeed all of the following requirements must be met: a) Using Oracle Java 1.7.0 update 25 or earlier (or any other Java implementation where java.io.File is vulnerable to null byte injection). b) A web application must be deployed to a vulnerable version of Tomcat (see previous section). c) The web application must use the Servlet 3.0 File Upload feature. d) A file location within a deployed web application must be writeable by the user the Tomcat process is running as. The Tomcat security documentation recommends against this. e) A custom listener for JMX connections (e.g. the JmxRemoteListener that is not enabled by default) must be configured and be able to load classes from Tomcat's common class loader (i.e. the custom JMX listener must be placed in Tomcat's lib directory) f) The custom JMX listener must be bound to an address other than localhost for a remote attack (it is bound to localhost by default). If the custom JMX listener is bound to localhost, a local attack will still be possible. Note that requirements b) and c) may be replaced with the following requirement: g) A web application is deployed that uses Apache Commons File Upload 1.2.1 or earlier. In this case a similar vulnerability may exist on any Servlet container, not just Apache Tomcat. Mitigation: This vulnerability may be mitigated by using any one of the following mitigations: - - Upgrade to Oracle Java 1.7.0 update 40 or later (or any other Java implementation where java.io.File is not vulnerable to null byte injection). - - Use OS file permissions to prevent the process Tomcat is running as from writing to any location within a deployed application. - - Disable any custom JMX listeners - - Upgrade to Apache Tomcat 7.0.40 or later Credit: This issue was identified by Pierre Ernst of the VMware Security Engineering, Communications Response group (vSECR) and reported to the Tomcat security team via the Pivotal security team. References: [1] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUEFl4AAoJEBDAHFovYFnnR3cQAL034ZrbUeBcJ4zotNp5+ea2 llNatC3MUlg/vZ2qG8Qo4xxbdS4F53cpu90fFhKm+dFzIiRhZeHROYDv6Lu1biSu Nvq0YXV6KVJ9Js4G6HFilhy3vownvn/hMAjzmPojSYjWO5slXNfFvAlwyRrGt0Cp t5rUh4QNavhgO4m0HXJJLg+PNlSKsnGdra+0gWmq8YKtKotgu24SbPq/p3HP7TuJ nnMjx4A6r2LcoghL/nFAPp2ZwgBCtm67osObJ1uMxYhZ2I/3MztFYpSKvfVONuUK rL265wmrKLvvDdozd/Aw2d2poXdSO/oWeuhKbbzYOxpUT6iRzf+BkPUR99e6Rqso lOfLoAYuzYfK4rW/ooxVNKnHMhs+0BVfNZoclKCDSvz+a9dIVS5XD6KcyJQ3uv12 ujyTGaGhLuS/ciAVS372Dx8H0/mfd5nZCkYL6NDyzSWSmb5eG4XxqrLi77yByvAT ulSAyg1UWk8sRgQ4AY3belH3jDiN1rHSWJAaB+WVwszQdCe4iXgDyB1u4ES22oAN Ymrg5l7tLQ8/9LyMvlQ0tE4f+OYE6kki6e4JMc2cMqPL/rcjiUnLWZ7YUyx92RM1 LRt9QhMd1h3Uwle7a7LxqJCGf/rIPwRmrjTYYWt43np1Adx7y2RuZOTDjEY98sN3 oCLjuSCalVcBX9hGaJ7n =98BB -END PGP SIGNATURE-
[SECURITY] CVE-2014-0075 Apache Tomcat denial of service
CVE-2014-0075 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was reported to the Tomcat security team by David Jorm of the Red Hat Security Response Team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure
CVE-2014-0096 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was identified by the Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
[SECURITY] CVE-2014-0095 Apache Tomcat denial of service
CVE-2014-0095 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 Description: A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) Credit: This issue was reported as a possible bug via the Tomcat users mailing list and the security implications were identified by theTomcat security team. References: [1] http://tomcat.apache.org/security-8.html
[SECURITY] CVE-2014-0097 Apache Tomcat information disclosure
CVE-2014-0097 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: A test case that demonstrated the parsing bug was sent to the Tomcat security team but no context was provided. The security implications were identified by the Tomcat security team . References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure
CVE-2014-0119 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.5 - Apache Tomcat 7.0.0 to 7.0.53 - Apache Tomcat 6.0.0 to 6.0.39 Description: In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.8 or later (8.0.6 and 8.0.7 contain the fix but were not released) - Upgrade to Apache Tomcat 7.0.54 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was identified by the Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure
CORRECTION: This is CVE-2014-0099 *NOT* -0097 Apologies for the typo On 27/05/2014 13:46, Mark Thomas wrote: CVE-2014-0099 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: A test case that demonstrated the parsing bug was sent to the Tomcat security team but no context was provided. The security implications were identified by the Tomcat security team . References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: security-unsubscr...@tomcat.apache.org For additional commands, e-mail: security-h...@tomcat.apache.org
[SECURITY] CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.33 to 6.0.37 Description: Previous fixes to path parameter handling [1] introduced a regression that meant session IDs provided in the URL were considered even when disableURLRewriting was configured to true. Note that the session is only used for that single request. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://svn.apache.org/viewvc?view=revisionrevision=r1149220 [2] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw3AAoJEBDAHFovYFnnNM8QAJZRox6JZVDSygO8ddp3S9Gp FADhlqFpusDGkhO/4x+5UNaZ6nci2CVHYbVftsvxyZrsEZbmJk2rcQIcwwRtwtgj ZTG7Vt2v5Z+PqAeFSI+7rXsaumqD+itV2M/S9o4sPjsNSHoJ4+a00S8cYs8XBG5Q bnibxMGHbJi/ew037CTxvlZhPTM2Fir1YDwfagbNJvTbU379fg+NjZXJRa7AzWLW 46mFtRh7/PlYV9GP2rfy+l603Zgz/u9oiBAuXWkBqccUbSsgmauFJTk5jMnwF+By PHCsbe/ptkxEqlIkUYKBv4LPlJB5rjrvTcknrwXrx6WE79pdi37rd20nwuoIuCj5 kkZkrGIKUp029BGgGe+vVnJjjWcGuCsieyDMzvU/quNE9MX5oK5SEB+20QpZvQ6v PuAtv+h8DSvwYKlmGBoepztjXLUCfptlHu/txw4mYJhWTttaoA3mDkYoQNLpd90O N0lZJ04OTGDpRUiUNM1//Rq+MPaN5nwM4TNQiSY7c6su8C/ol3XYBCoBIYZPgxXk DbgD7B5ubOl/HDVzkpJifgbvX9EcrseZq62UV2Gh1ngw6QEY+XANCFE+7xX4/glt h6F3/9AEPuppeohboG0tuR6B0BDF5lj8gEUAHl4YdAgR6uem34QULxDMMnu7ULif 7gsVJdXCzt8BS5Znvhsp =HGNG -END PGP SIGNATURE-
[SECURITY] CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2012-3544 was not complete. It did not cover the following cases: a) Chunk extensions were not limited b) Whitespace after the : in a trailing header was not limited Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was partly identified by the Apache Tomcat security team and party by Saran Neti of TELUS Security Labs. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxCAAoJEBDAHFovYFnnAtcP/0U8NgjCuhFBps1tAIqAa+ty nLMYz3rgxHcY9ClWrJEBgGiIGb2wDQfylNsWR67PF/ue6yhLf+Bu5xs858Thr8V1 98ODkrQemNc9dcIdLJaRcSo05vzNCEN3v4vR9cpPpQpW8TB9y8L1HXmZEiGkM7ZD nwa6E6GDJizkwR+3Qs11r3tAxNAHPn611EYajYLf7+4vPLqgV4GOx2/D7ol/wTm0 3BM15VZjTtlHqrtghUOdXYEzoXwR9BKMVoMtED3e++5i0vCuvvLToxTJ6jI/QjjE UNm/hrfZK5ro3d+rzjOboLXIooAksK3A5UXxlvRi26ZgP3Nd0y8dN925WWfg2jXX V1saa+42vpI6g4NcINIbFnBqfPdM/xKSIuyyXDmmTF2rUHQftcToLikzmSDZlm4c edTyL+A4FcbEq8uymXwE/iA9KKa3PDcZheUw07YALp9JhFI6rfQT472cUavfNcGy h0nxkHg2hU4yUBPm2PSyoTAokkjhDgRvGgX0hA3ljSi0SpHyTwPfoUIwUb+Emgmb Vk00OJRJGtZs/GAL0TCd+LW96664Tx9oAqvgcLA3dZwLk94ivD5SC3Rl9xlyd4lF cgLCOvzwxHcAh7syNd8orWjmyZsJ1vVqGoL1waK1hl1AQNxoJRfDixSlNjchpBxO tCLvVC7UbgC0PFda+7kL =Hzxr -END PGP SIGNATURE-
[SECURITY] CVE-2013-4590 Information disclosure via XXE when running untrusted web applications
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4590 Information disclosure via XXE when running untrusted web applications Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxJAAoJEBDAHFovYFnnyWAQAIoducHGYKhqCCq7SbbkeUxC 2y8HxdYKo0T/AfolZoTlFInPnVDG8cvoPjEKO7MVzmWJaXjH4lOPYWAzss/N5//M SCczevb1CSmw+m6d6TWs5YeJSGdJdEZuGjIo4GBTLYymUGPB88JdbeeIDvsVeWIx agPaXN80aNady+uPbbpPh3mLIRchi00Ui7vI+0eWMVzcOED1MsvNiPyaGk7eHIhQ nAoiG1QqY68yps1i9lTL1y5jaTklhf6Rh0BKRHA5oLBC2XH6vzKfVw4DVbYTDIve N74s4BssSCMgKDzIGG1zwvU6EdLrHW+NVmfKDey+D0j6THT3rTPiQC4QVjZfVY0u YLuLkX/kobjV2ESgXj7EBTzxuOB/F+bweZ4PfdSV723ggQclwotzLQvEfKkcc4WY taYl4D33gL55QvCsKCCDYbCZklZxOyQ34mly70064tOEFE/nuSq5hIS887Jh0WW2 5pDweW2GZxjXMPAs3sFpmx2UW8VEepxYOhVla/9O+AseHePlyjihEekpB+83Gotk YAFCpCrkXLX9i2B/LW65DYJYUycW+s6j1kQzGyJmsF0ff45airKhrcHvBLtPGm4B dhY5hLhaQh//eJvJlNoAq2QfDEiPEqR5Ks91mhkp+4JBP1ubMyGbQo/Di0jShoJR dwR7dpwk2mIO/l6BnAv6 =hR9C -END PGP SIGNATURE-
[SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 - - Apache Tomcat 7.0.0 to 7.0.42 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2005-2090 was not complete. It did not cover the following cases: - - content-length header with chunked encoding over any HTTP connector - - multiple content-length headers over any AJP connector Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC3 or later (8.0.0-RC2 contains the fix but was not released) - - Upgrade to Apache Tomcat 7.0.47 or later (7.0.43 to 7.0.46 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team while investigating an invalid report related to CVE-2005-2090. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw/AAoJEBDAHFovYFnn8HgP/107ixjTiS7es6ka2fXl01Ag A2GUdevvgKXrbgtY6nVS1Sx65GZcG1k5Knpn6Cwg31dtipnEJmuk4+ScVlA43Jjy 8UpQbI0zm0oCgIRV6lRuYGn1kz5p7cSEF+s36QOAMym3qKNJ3YZn+pALVLgmF+D8 k7Yqe3Fwih68sJm3GRStZ9zlt5s7NNfHzSfnIe4wSyleA8xyK98Xa/8tlr3p0usK J7V5Dz1VSmi8TRpzXUVl8cWjQrD+tCZOWrrBgkWs2oj/TXiVZfiAA5Cv7p1F7HoJ ElF7dny5PJIFdAK3TU5WAkXRQJk2yp0FNv0YRSJGx4OLsiv+IrIXpVR4K12Hmc0n T4RzqyhfB7VGtxrLC/PpC6hoqd+LkuT6uJJA8lcfc+F51UWSHtOV5iW0h2kC6olu s/SKsljDOzx5L2nMdFGqs49cV4uIC8CFC8yP84EJO1gyRqyABxw3LwzUZvdMJ1Sl 29QM3vpMc3EypKXEZWe28Wbr7cZLK2oJt7pSF1DoPF/8DStYYhqztooKCyXAhjum 6Juf3C+w3HvaoR2YyIu5ZhbcGqkt0GHL+ZfvyPVcIFv+TeSYejmus0zdvQGWmnep Fgsdlbz2dUg7ncvmj7LYwCv4U6yj2oYUgMaVrocNVB8bSg0qMnfByg0tc4h8XzDv kNN3kqRWjmDaE37ZHywC =YF3X -END PGP SIGNATURE-
[SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Commons FileUpload 1.0 to 1.3 - - Apache Tomcat 8.0.0-RC1 to 8.0.1 - - Apache Tomcat 7.0.0 to 7.0.50 - - Apache Tomcat 6 and earlier are not affected Apache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of Apache Commons FileUpload to implement the requirement of the Servlet 3.0 and later specifications to support the processing of mime-multipart requests. Tomcat 7 and 8 are therefore affected by this issue. While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators. Description: It is possible to craft a malformed Content-Type header for a multipart request that causes Apache Commons FileUpload to enter an infinite loop. A malicious user could, therefore, craft a malformed request that triggered a denial of service. This issue was reported responsibly to the Apache Software Foundation via JPCERT but an error in addressing an e-mail led to the unintended early disclosure of this issue[1]. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Commons FileUpload 1.3.1 or later once released - - Upgrade to Apache Tomcat 8.0.2 or later once released - - Upgrade to Apache Tomcat 7.0.51 or later once released - - Apply the appropriate patch - Commons FileUpload: http://svn.apache.org/r1565143 - Tomcat 8: http://svn.apache.org/r1565163 - Tomcat 7: http://svn.apache.org/r1565169 - - Limit the size of the Content-Type header to less than 4091 bytes Credit: This issue was reported to the Apache Software Foundation via JPCERT. References: [1] http://markmail.org/message/kpfl7ax4el2owb3o [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS83P8AAoJEBDAHFovYFnnbOwP/0m80St7x63n6VCiR0aGuGLz /J004spHfbc+vtg2RumObBTX6mSfvPgO2R4FzE17Etg8QtWreoxb7kjnVXUwjdMX nb3Yt6IY1yBW1K+YcZRziOQXkRnnjnpC7Lh2o5eqpJ1S7wpXl5PBIXYSxMAsJCuv axFA0aq5cc17uDAH1z6DPk4149oZz2lHdlBUTTkCh/0PrvcIFxwpej75gUfyaV0y DGZLs3IpRYcJMS131q72DUt9wBsIqJN0mqUOq2svBS3mlXBcKDjy21b8QiEr8itK UqwsYUtOZP4nZ4u8j6euxF2fC/ivm/930OGOl9pn2SbkoHJKm/4rz2GYDA9jq07K XEDeGdTx3ZuDaTaBER8xquETRZ/Rb8dbBxQwzmo6doJNOjsMQFlR+1F+p56AhYd0 klbT6Q7i/Ic3BdRJkUpaYshhtXeAOnH+0u9j4kRXMgJbkMgOacopomFX6HoXr9/i RHGbwwSZViLooR88Yg0FU2230+9mJLXxaJ6usHrtq4dS9ElSV320OCyisNjMX5hi 5SFYMSy+z0nsK2O6yCzlukztoFhvaNecvy3I8w5EKytweyFlPzxXn6QpQjG+ffb5 ql7TZRrApiaewp4crzBcZSAjDzRNiQpcI2xTTN/H9u/yk8lrhOULi4pljKCudvmM eIWblFdpoPVl0iqvsXA9 =uzLf -END PGP SIGNATURE-
CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.39 Description: Bug 54178 described a scenario where elements of a previous request may be exposed to a current request. This was very difficult to exploit deliberately but fairly likely to happen unexpectedly if an application used AsyncListeners that threw RuntimeExceptions. The issue was fixed by catching the RuntimeExceptions. Mitigation: Users of affected versions should apply the following mitigation: - - Tomcat 7.0.x users should upgrade to 7.0.40 or later Credit: The security implications of this issue were identified by the Apache Tomcat Security Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRjLHMAAoJEBDAHFovYFnnOIAP/A9HXwQgnJKYl+gXwqFkjXaq blo70uMMUpKPJ61l/keEguxZ/iGdQC4H2osjQiG7lhoOPvrMKtewCMXDAk/j9Skd HXuQVSge22Na16M6GUNXARziyDk/44k8RHy3cibrPZPhUNVD743N50toPK8Q6UKR PmAANa/kB9vvD589PCQLx/i6oiS5jaAwjoSdbwshtJytXrxoHgUrRLl3P5/sPBiq 57H/pAELR4aorfSj+tJL63ySX9v4NRiB55u3hNDgZOnPz3D9sjMsmq5vSzhfyiHh NnkYGa7+ZfnBL6DJ4eiV5z7lbMFIBa7ZzcyYEhVFCIsbnSwTL2l0a3NSkuQ0xiXS 0jQDenOuCujL1Zw5YYHhRDy2rGbFG8q/Z+ZSQ3NP0vnmQCpCfsY3mBIFCWzhmK+h TnFKdtxA+Ev/HSGPlSK1hADiYwL/iLb6YMoyintgj2mDIxrdHhcfMq8h6GYD1rbF vlbWSpmgN81xdU8JxEbnq6PC60OeZH5x08Sj9B3YQlB8E4Pq9B/EaEFYF9oZdYcP +DQWcd78SBNevg+fgKdKK8CjU5JQhMWetxv6HUomS7j3LgoJQPwVrNcg0yjV1v/g qgddQ1DOamD+KuQxh08NHfMZP08g5a+CrQ6qpe3/pr/OI0PlTN23aCXvCEGl2KlZ Cn4w/1eoL4agb5oREL2U =vQbB -END PGP SIGNATURE-
[SECURITY] CVE-2013-2067 Session fixation with FORM authenticator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-2067 Session fixation with FORM authenticator Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.32 - - Tomcat 6.0.21 to 6.0.36 Description: FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. This attack has been prevented by changing the session ID prior to displaying the login page as well as after the user has successfully authenticated. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.33 or later - - Tomcat 6.0.x users should upgrade to 6.0.37 or later Credit: This issue was identified by the Apache Tomcat Security Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRjLHUAAoJEBDAHFovYFnnUnEP/0R3q0uPTHRXem+Jlx6DLLfs jL3TD1idxqHcUDJhX/mnePwTxIle5lAbPZn6hBknFPdD77kjyflq4TB3ZPUipsip s2bKzGGlDDZwzRIY46ZqBRcVXuemCu73BjFNLBP6CvjQwm1/wFGuOS+oRRKKigwQ Ew1Mau3c6Sb0VIED4yrgvhPwJwdi1+rA1TO87p/8rxQIS9CTcUy6J/MICPdvIQiI zIfr7pIRSNDk9JeC6Ybr/SC5lYqAox6eqOYYNoQ+5zQ1BcCw/eQgWpm4WYM2IDV3 2eNbjS/dylz5zBQEDbzz9VtReBTncQLF6Do2KDhWxkaUaX2oaOTPKlLiyL0gwA4e IDpHDl9D5mLmBaJi4Lz14cwey5wNgs28ZqX9JCUaLz7qc03J9Au7PrplOr3Xth/Z rQqeKVxFZKaIKQOm2NKs7v7bZAhzp/mKt/u9ndnk0uKk2Tf3i6QJ1GtICTY22eB6 Eh4s/o2BJDgGop0P7cTmrAv1uKu6/72eoUJBMyyGCIN67URzVZRwMQnmW6TqZoBt tASvlTVD53HV3aPdhDHDjP9x/6V6cODD29fzn5op59BWhMVuzf+1lhqphJT0hlQQ lnuf4H9UWG8I8/OzN7XNabIbVuYyhjYWnt8HI/8N/4cAHfA67fXkcbDqleKOd6qo Pcp0qDLiZqVFSotSkVFl =hWpv -END PGP SIGNATURE-
[SECURITY] CVE-2012-3544 Chunked transfer encoding extension size is not limited
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3544 Chunked transfer encoding extension size is not limited Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.36 Description: When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.37 or later Credit: This issue was identified by Steve Jones. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRjLHYAAoJEBDAHFovYFnnNacQAKZ8VVSZkh1Tz1hkenVQH9ic rZGNE3dzfdum8sbL18iObOyt7b7iJMDwSv96sD6Ig+6EgiqRJGcj65a9DOIoyNlD dmYT8qj4wK2OUsefUpfX0RQHgAZcZMRHX6UcgBETgVDTVcWoZ3lDWEBCYap9CTLf 2MX34mMawDp+WEXloDIvxtSC5q5u2nW/O4UJHH+jaPnnmYmghHqb2yh9Tkjj3fkG HUtJlK0WuL9TM7IlQySPUHw98BN46illVu8go6xVslE3CLzXIOOOelOnyDH9IFoF D4SbhKb0nSwSi9aUJsjLNAmgx9Cj5shYyWQSP+CCNXfpOaBz11R3lxSmRvbRBDTf lW8SPgKiCIjXSbbKtZzhl9cu21i4yZFwaKm22wKSRoEWghHs5mCNcVwt+qNE34Zx v2eliMYymkc/EDy/aCTz4DwWhGP9XLi8hOtPkSFB46jLLbUOJcAcy3jPnPa9X8Gq FX07EAncpG8uC9wpSd1Vtr8SPJlbRbkwY2NJ9MaRuEtetbC/Gpq8I5fT7MuBM7X9 8r+GoEcjTMYGWb7T+vGzg5HpcnOVY07wvG1Kvdp/cLxxAjGONsAwvZQ1D6VAjkJx bgDOGWqTDm1c7U3MIY+CdrGKpKaRCoCI6UX5vlD/+H3NYjMKadUwpDrFNCwSMF4T 7QzwCUk2DGUI/n7o7S5n =vhss -END PGP SIGNATURE-
[SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples
CVE-2013-0248 Apache Commons FileUpload - Insecure examples Severity: Low Vendor: The Apache Software Foundation Versions Affected: - Commons FileUpload 1.0 to 1.2.2 Description: Commons FileUpload provides file upload capability for Servlets and web applications. During the upload process, FileUpload may (depending on configuration) save the uploaded file temporarily on disk. By default this will be in the system wide tmp directory. Because the temporary files have predictable file names and are stored in a publicly writeable location they are vulnerable to a TOCTOU attack. A successful attack requires that the attacker has write access to the tmp directory. The attack can be prevented by setting the repository to a non-publicly writeable location. The documentation for FileUpload does not highlight the potential security implications of not setting a repository, nor do the provided examples set a repository. This may have caused users to use FileUpload in an insecure manner. Mitigation: Setting the repository to a non-publicly writeable location such as that defined by the ServletContext attribute javax.servlet.context.tempdir will prevent the TOCTOU attack. Credit: This issue was identified by Karl Dyszynski and Hugo Vazquez Carames of SonicWall References: [1] http://commons.apache.org/fileupload/
CVE-2012-4534 Apache Tomcat denial of service
CVE-2012-4534 Apache Tomcat denial of service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.27 - Tomcat 6.0.0 to 6.0.35 Description: When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service. This was originally reported as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.28 or later - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: The security implications of this bug were identified by Arun Neelicattu of the Red Hat Security Response Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html
CVE-2012-3546 Apache Tomcat Bypass of security constraints
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3546 Apache Tomcat Bypass of security constraints Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 Earlier unsupported versions may also be affected Description: When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate(). Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNnAAoJEBDAHFovYFnnsJoP/i6/NEKy6+tAcMZ0vKV5CGci 2Epf7NbfWHZhyYZlI445kHoCGQAvMaD0pXlLBUTlzVd2N9Jugk1j2WNPzvOlsaZ0 jx3qeuvNhVZzAa2LIDVSj8ENVNYMiA/S4reZu2u9lHqw5tTP5fapJXDNphSnr0kR A662JdkQlirQtFylkvqFdMoZ3N/vEPwzD8Cs80fafEhEqcoOtrO6yOyaR/kwEFeI 5cxbm/om4+T9cVkRduGqhzLRBWnDiCeBguXiUJXDQorOWmzHq438cNd4ylfFRa1W RBsin8aVY6LMIUqdWWqUnG8SPI7qp7odMRzhI1yLw+y4ykrV5coKeTvalIsh+3ZE FWP7kYmrOYS8NToq56Fxn8bYAuAsJiOsVZ4ox0ozR9HQCEqLEpXTa31hEowUBtig LO0HRgQIeh4rdgxxR2V46JiRw8URNfGevKrhez5B8UAb8hj02SM/3hyg3S3pL2Jn fl0vLnf1+DACd0mUuGmSQNLx5VznW6fkYHZWgmV3SigaroKL4+BbqCO7WvuNs9aA Y8dYt08IgF0O/Kt1vQdks31KEDIqHJOtrZBCySdvVLGz1x+MxluWssZGQELCcj0v ByfH80yh/uIU2Zk9QTaJlEkuODyWTYxmYRk34R3/zZ57za+NQLlpe0cfBRy33wjt VCfhXK6n3npDlmhpeBDw =pOlX -END PGP SIGNATURE-
CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.31 - - Tomcat 6.0.0 to 6.0.35 Description: The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.32 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNvAAoJEBDAHFovYFnnY80QAMvP1gIpG00vfIdiFabpJX55 UEmkPuTSefxZ6NMvAL8GkuUe8CoC6KinCgOx+s8eGlEiHtWFoYvM/Ckg8E3a8SY6 MfD8GLo2av/LdULGSCBrbaL2wFbgixPTBpgR9YS4bdpTK5nVqBZyZOjOzptqRDnE BQXDLLKa65/z7cF57l+XcLs1+JW3KJGRiGJzBNUrJK1x/AzfgRgk4jgvYdyDWdpI zuXKgwBbunblPL4sZhZA2mhoswBIMIJIaHXOAD28Ddt9IIae0UFptY6LmExOkSsa PtshA4EBlO8JTPPcfwtqA/bkHAWCzB1QshkYD57rLF3t1ouDQWI6j8l+q3AYIxzv a0Ix4qzE2hekcjGSCUMZUqNgcaGSjsggaOEo5zauM01osPQxbfpH41eH5fIWlMKi vrxRjYJwLyLdkj3bZFuP7Uq1GL4BLjeKDfqsL4aqcfdBPZea6C9rToEkB8EjD4vf DVdrX4Ivg3ImMMnL+gkX4+5aLp+jpw23G9gZbX1DJn+648iv3yFoK5ysOWy1GAAO x1Iq3pa49NigJ0ipjZvxc07THIoiK/t49/3fWzMR1Xm819oJC2/Qf512l/FpEltK kQ0y8BC4+7ypUZyhtwE3jzLW1x2j4ZBK8l1nX0X92WepJ6piro/7o80qiyDMfqPC hbmBu213eSXnV9kRHveI =jich -END PGP SIGNATURE-
[SECURITY] CVE-2011-3375 Apache Tomcat Information disclosure
CVE-2011-3375 Apache Tomcat Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.21 - Tomcat 6.0.30 to 6.0.33 - Earlier versions are not affected Description: For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.22 or later - Tomcat 6.0.x users should upgrade to 6.0.35 or later Credit: The issue was initially reported via Apache Tomcat's public issue tracker with the potential security implications identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html https://issues.apache.org/bugzilla/show_bug.cgi?id=51872
[SECURITY] CVE-2012-0022 Apache Tomcat Denial of Service
CVE-2012-0022 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.22 - Tomcat 6.0.0 to 6.0.33 - Tomcat 5.5.0 to 5.5.34 - Earlier, unsupported versions may also be affected Description: Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.23 or later - Tomcat 6.0.x users should upgrade to 6.0.35 or later - Tomcat 5.5.x users should upgrade to 5.5.35 or later Credit: The inefficiencies in handling large numbers of parameters were identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html
[SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.21 Description: This issue only affects environments running web applications that are not trusted (e.g. shared hosting environments). The Servlets that implement the functionality of the Manager application that ships with Apache Tomcat should only be available to Contexts (web applications) that are marked as privileged. However, this check was not being made. This allowed an untrusted web application to use the functionality of the Manager application. This could be used to obtain information on running web applications as well as deploying additional web applications. Mitigation: Users of Tomcat 7.0.x should upgrade to 7.0.22 or later Credit: This issue was identified by Ate Douma References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOuWxPAAoJEBDAHFovYFnng3oP/jkYsplqxz9hjWi6uztQK3Gv BlS1IlbyqW5HW8rqr/pyfLWDDiJZUc+FmWRbyT96r/V4z0w4oGglGi289owLr1Lx bsGlauWQhZh7k5nWKboMVEk6CjGOXVQ9zMJJwhEkrXn6/HNV5O65F/0nnLoHgStM DNyKKpYDtc6XCI7+Pcutv3fqkk9niF3KSF3rePKlpUstVbuLx9HlX+0fbj7+X4w/ PyE5R9tVfr3Toiwn546QQR73VkOSmAGt0IEE9P06oY50ruW3/Z6wJjVHrlJUsoQ3 txupoC+FCZ5ph8DfoeVzav6Y3W9dImXz6rzxm3YnUKCDZuWnGVNzDE4IUyKdRM5t W/Smquaat8VxsxMbU34bSJHYA1m2nos4qPrQvJl2w0wKWrPFRnu4f8RImvg1BIPH gZ17raqPjdoBuE3H4ivgF0DSasVdYM/Ge977B+6nD9jzwE6FEFAFCCRpbYvD/6SA //QbqSlcULb6CKZ6D/rNbLSQ3e0QD6GYaz3HjJcCtJkqo2FoLGY88AxtoF4es5SB thYJf7r51J9W8g7nvw+b7Y0+eG3IczsBA0spIoyzIKr1RxSEFE2220idPdotpjAf aticEwF9U5przWmwNab7lKUd91bo32ZVtvIprPGL/NfHrL3KC891gjYqkQtrcJC5 SkiQ74ix/uGZTB6HHCWm =wak3 -END PGP SIGNATURE-
[SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.11 - - Tomcat 6.0.0 to 6.0.32 - - Tomcat 5.5.0 to 5.5.33 - - Earlier, unsupported versions may also be affected Description: The implementation of HTTP DIGEST authentication was discovered to have several weaknesses: - - replay attacks were permitted - - server nonces were not checked - - client nonce counts were not checked - - qop values were not checked - - realm values were not checked - - the server secret was hard-coded to a known string The result of these weaknesses is that DIGEST authentication was only as secure as BASIC authentication. Mitigation: Users of Tomcat 7.0.x should upgrade to 7.0.12 or later Users of Tomcat 6.0.x should upgrade to 6.0.33 or later Users of Tomcat 5.5.x should upgrade to 5.5.34 or later Credit: This issue was identified by the Apache Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOgF0tAAoJEBDAHFovYFnnv70QALdoVwivDt9bXBEpMgjJ0/NY kadCFsA/X+O8TEKTRx/85B54Spgv8dGJFiPMettdbfjFuq7ADsRiAbxsZQ3dEIfJ esrWfPJRTpXhjKU1OOLmoDvoueAD0pD7/qvl8o9bFowxGXLWqvO/elFe+4AH2YjZ ux9tWOlWn46Q7ffaNOzRebjPVIQ3ebB+FH9ToZAdNfFFIZbtxYRMV02wRfHWq+fU kTJ+hKF0XOpzyIut3zkmE00ZuvGAPLdnZcMKq9m/X/dt/niP2nT8H28Xx1Zu8sW+ CUE7CRse4pI6fGuXVrOAk1akyN/hkiSPxDNsDnHxALTNmjr1Z+DAs7QT5IKc3EDv NeSXAnxKfIJ83jcjam1bEf38UN1uYatP/u6XJCVpnOr0UjJ9wtO+QgSV/93eiyD7 YCpVcmKay/jvWmLPp7MRB+h6FGhJNw5OA5k7IWJePBXC39p6tpac3vsOKx1OGU38 QKUglIro/TtZo7gmfeG8lD3lI493l25+3E/vBiSrbfSHua3bmyFQikQMhy2ZPYIt 4wEfdaW4hUBJHpxkDaotuTTN8ATzQLtDNTGei2u76ZXQiOjTLUDGam++6fR+kfZU gloAy8ZIS702hoXg/ypFPtcyIx435dOgxtGIbOedmDUsy1ErGTCAksrOyn2yZl3v +Ew0bAULNmXwKQeMyDj0 =u/Ai -END PGP SIGNATURE-
[SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.20 - Tomcat 6.0.0 to 6.0.33 - Tomcat 5.5.0 to 5.5.33 - Earlier, unsupported versions may also be affected Description: Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have full control over the AJP message which allowed an attacker to (amongst other things): - insert the name of an authenticated user - insert any client IP address (potentially bypassing any client IP address filtering) - trigger the mixing of responses between users The following AJP connector implementations are not affected: org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default) The following AJP connector implementations are affected: org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default) org.apache.coyote.ajp.AjpNioProtocol (7.0.x) org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x) Further, this issue only applies if all of the following are are true for at least one resource: - POST requests are accepted - The request body is not processed Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a version of Apache Tomcat that includes a fix for this issue when available - Apply the appropriate patch - 7.0.x http://svn.apache.org/viewvc?rev=1162958view=rev - 6.0.x http://svn.apache.org/viewvc?rev=1162959view=rev - 5.5.x http://svn.apache.org/viewvc?rev=1162960view=rev - Configure the reverse proxy and Tomcat's AJP connector(s) to use the requiredSecret attribute - Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not available for Tomcat 7.0.x) Credit: The issue was reported via Apache Tomcat's public issue tracker. The Apache Tomcat security team strongly discourages reporting of undisclosed vulnerabilities via public channels. All Apache Tomcat security vulnerabilities should be reported to the private security team mailing list: secur...@tomcat.apache.org References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
[SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)
CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.19 Tomcat 6.0.30 to 6.0.32 Tomcat 5.5.32 to 5.5.33 Description: Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only applies if: a) Tomcat is running on a Linux operating system b) jsvc was compiled with libcap c) -user parameter is used The Tomcat versions above shipped with source files for jsvc that included this vulnerability. Mitigation: Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions: a) upgrade to jsvc 1.0.7 or later b) do not use -user parameter to switch user c) recompile the jsvc without libcap support Updated jsvc source is included in Apache Tomcat 7.0.20 and will be included in the next releases of Tomcat 6.0.x and 5.5.x. Updated source can be obtained from the Apache Commons Daemon project. Credit: This issue was identified by Wilfried Weissmann.
[SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability
CVE-2011-2481: Apache Tomcat information disclosure vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.16 Previous versions are not affected. Description: The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability previously reported as CVE-2009-0783. This was initially reported as a memory leak (https://issues.apache.org/bugzilla/show_bug.cgi?id=51395). If a web application is the first web application loaded, this bug allows that web application to potentially view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance. Mitigation: 7.0.x users should upgrade to 7.0.17 or later Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an example web application that can be used to replace the XML parser used by Tomcat. Credit: The security implications of bug 51395 were identified by the Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html The Apache Tomcat Security Team
[SECURITY] CVE-2011-2526 Apache Tomcat Information disclosure and availability vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-2526: Apache Tomcat Information disclosure and availability vulnerabilities Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.18 Tomcat 6.0.0 to 6.0.32 Tomcat 5.5.0 to 5.0.33 Previous, unsupported versions may be affected Additionally, these vulnerabilities only occur when all of the following are true: a) untrusted web applications are being used b) the SecurityManager is used to limit the untrusted web applications c) the HTTP NIO or HTTP APR connector is used d) sendfile is enabled for the connector (this is the default) Description: Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated. When running under a security manager, this lack of validation allowed a malicious web application to do one or more of the following that would normally be prevented by a security manager: a) return files to users that the security manager should make inaccessible b) terminate (via a crash) the JVM Mitigation: Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions: a) undeploy untrusted web applications b) switch to the HTTP BIO connector (which does not support sendfile) c) disable sendfile be setting useSendfile=false on the connector d) apply the patch(es) listed on the Tomcat security pages (see references) e) upgrade to a version where the vulnerabilities have been fixed Tomcat 7.0.x users may upgrade to 7.0.19 or later once released Tomcat 6.0.x users may upgrade to 6.0.33 or later once released Tomcat 5.5.x users may upgrade to 5.5.34 or later once released Example: Exposing the first 1000 bytes of /etc/passwd HttpServletRequest.setAttribute( org.apache.tomcat.sendfile.filename,/etc/passwd); HttpServletRequest.setAttribute( org.apache.tomcat.sendfile.start,Long.valueOf(0)); HttpServletRequest.setAttribute( org.apache.tomcat.sendfile.end,Long.valueOf(1000)); Specifying a end point after the end of the file will trigger a JVM crash with the HTTP APR connector and an infinite loop with the HTTP NIO connector. Credit: These issues were identified by the Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOHbrCAAoJEBDAHFovYFnnUZsQANIh02dK4r0cYCwsD59Xvg0R cCpx0MCzsrVBKU/fJ5nQtVTtZnOVfH2PnZBPFlYxQXpBCgIQh+ZIp9ntGdSNP0kH e7XgHaG6NipfIPusnQyH8yYmcfRl4BDnQdHyrl1JqApDtqnzPJ4Re9SVQC5VymJP i9DlvuV4atAdSCgOZzBb3+wMV0uoZqjXcUZrQEXCYBhtGFtOQM/JyMUa7iu5+FhI AuUchlHw3N+nZ+b4QeXGdFowHMTlJoj0gv5eMCEMVfiaoM5COcaQYBRQxkbNhkfN 7zkcKKyDG2ARIJ7WB3Ncj7A4RfF2KY98q69px6RU2ho8umOycl32dw3wT1AtPWUx 3TkTgkN4FXDprCLp1r/csbYO15GSoI0selWzKxmOOuMIIamQ36HreUInZzXohuOJ VSdR/LBekdfiLNkNtIwK7oeaZoYqPT14F15C+gkzw8a7ETzN6kyYwZz2+dnnWvxM lV5WhEksulVfrfro6OBFI4k4KVyCq/QYRUH2WfyaRyUhRB8of6tnweB46upzzoAU +YtyLPimURofJbcw4Ut4VBvjVJTdts3air32vCKxpfnjdn9Gd3GH3phjrsYzJHTl fg3RcqrmV9I0gxLn5oWIMx17gOGpFOgSwMyGgm/WEJLyiEV5suSPFVjMFq3znj+7 zAlePYK10YSe5XiZ9g8F =MeHU -END PGP SIGNATURE-
[SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1582 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.12-7.0.13 - - Earlier versions are not affected Description: An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security constraints configured via annotations were ignored on the first request to a Servlet. Subsequent requests were secured correctly. Mitigation: Users of affected versions should apply one of the following mitigations: - - Upgrade to a Tomcat 7.0.14 or later - - Define all security constraints in web.xml Credit: This issue was identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJN0m4vAAoJEBDAHFovYFnn5NkQAOBocyvRk9fTGX569Ga95yDJ vV84ZS3D1jCP3VQ1swh1Ouzd9NdP9pRGVWysTjz6N1bsZ+BMpGIyT/GpMqhfPAPx OzzbkM2cNow8MR/PG3rFbYjQH1r6D400zSu+drHDtTzrOY2uXS2ClL0UuxUg9LcN tUfidh9629OMVtuWqA2jwTSrc7fDdye5Ti1HZ0g5vUG5Cvab4LCcRdwh2VWT7g3T LKUTr6AZAz0mQ/7+QNJOOykX+FJcOL99Q46NLVZzeLPWFoEBZn/BRs8O9WehYnLV EEZtARSaUzTjssePo/O+oV4xYW5JIA1+5sKG7+xIvIaWKMbIPbdrPEPZusK/X0QR LjdLbMUGcGzDUVNP0hGzpArIDXcWmslJKJ3YFTCg3VdeamULh12bqxw3AtliAzI9 pSTcMcVNOMWZOUl/Czc2I3t5ehWaOGr5j3D7No8mEFMCcRoQoRTNS7hKqqqKsyY4 hTxMJV9dXox5mIuDY8hLaGY9KuUFIo2AXWnr7lqIBrKGrziVAySuIpKSnzuFvz2z q2DjPnXrFo/5W2ZVfUk0utCjyJX/NJdizKmW9PdQu4aT2BJdEgjjiW+qzPi20kZy HgySY8kEFbI8CyM6PqD6Yb5nzA/xR1YAYRQx1pWTrE5Y0B5MTctAaPCIJQoc3nIA GZ0Ziz0q/PX/x7ug1TnP =srIH -END PGP SIGNATURE-
[SECURITY] CVE-2011-1475 Apache Tomcat information disclosure
CVE-2011-1475 Apache Tomcat information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.11 - Earlier versions are not affected Description: Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a Tomcat 7.0.12 or later - Switch to the NIO or APR/native HTTP connectors that do not exhibit this issue Credit: This issue was identified by Brad Piles and reported via the public ASF Bugzilla issue tracking system. The Apache Tomcat security team requests that security vulnerability reports are made privately to secur...@tomcat.apache.org in the first instance. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html
[SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass
CVE-2011-1183 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.11 - Earlier versions are not affected Description: A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a Tomcat 7.0.12 or later - Ensure a login configuration is defined in web.xml Credit: This issue was identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html
[SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1088 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.10 - - Earlier versions are not affected Description: When a web application was started, @ServletSecurity annotations were ignored. This meant that some areas of the application may not have been protected as expected. Mitigation: Users of affected versions should apply one of the following mitigations: - - Upgrade to a Tomcat version where this issue is fixed - - Define security constraints via an alternative mechanism such as web.xml Credit: This issue was reported publicly on the Tomcat users mailing list. The Apache Tomcat security requests that security vulnerability reports are made privately to secur...@tomcat.apache.org in the first instance. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNfycmAAoJEBDAHFovYFnn3jgP/0aecIt4uUYHWbmzUPA0FNan tzjVfPskwPYrSuNbHjHuxPknmxUPSFiCdO3V1LLtnCX2y5+cNancWRjLX7lDbt8H sL+9AaoI8HDShG1wgYsnh/3fIKczhE28pTtyo0GtG4HpQVLcT/OH2Qhb6+mG3jwo SCia1eSTJuhj5HM3n2fb5X33n/UEkX/cCALDrt1DRfKV69MaZbMiZh7XfpyVDpdN LePYIeuOoxg9CVjkDYCVIaK5Bi0uzPD8yCc73dOU3YobgbDDaLSN7Awd1/RhO5TR fpWVbl0gbmMlPnMy52B9qZL+H9HwcNnYPqbtpquE2a6ik29QT4LMTNo0mr25XxmP K3Jb7VTcVb/P1pxFOsTyMWy25IFubMEBW4c3kafBZGUI3Q25QmNizBXZ5wvn1vex kBzDZrnKmkzvhnCy6RnTKk9BYGRWEw9ImTqLOaLxmtXJw9bnWgoeusnje1k/24QI 3+pw/g5OjwG7hqtStrscFeo8tc/snXBojn1d21txsnLggQ0E6+9+vUVym5tBD16I MfzN7FSd620AFSmVUo5mEfEpDe+RTkA8y/7BnYHoguBQ7WLlxejCgRpaf91vBns6 ZEQGntzx7EW7M+P2GNHy1mrVGTQ7Glk/5tnAFyqgMOHzYyN11Y3OWO1XBv+1um8q kadENSXz4mY0vKtvaeuT =i/HJ -END PGP SIGNATURE-
[SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.3
- Tomcat 6.0.0 to 6.0.?
- Tomcat 5.5.0 to 5.5.?
- Earlier, unsupported versions may also be affected
Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
---
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute(javax.servlet.context.tempdir);
if (workdir.toString().indexOf(..) 0) {
context.setAttribute(javax.servlet.context.tempdir,
new java.io.File(workdir, ../../../../conf));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
---
listener
listener-classlisteners.FooListener/listener-class
/listener
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat version where this issue is fixed
- Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
[SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.3
- - Tomcat 6.0.0 to 6.0.?
- - Tomcat 5.5.0 to 5.5.?
- - Earlier, unsupported versions may also be affected
Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
- ---
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute(javax.servlet.context.tempdir);
if (workdir.toString().indexOf(..) 0) {
context.setAttribute(javax.servlet.context.tempdir,
new java.io.File(workdir, ../../../../conf));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
- ---
listener
listener-classlisteners.FooListener/listener-class
/listener
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBXAAoJEBDAHFovYFnnkQkQAIpE68EHXYnu70xHFThPVGPk
48OIvAA2fMzF8RajaGQRkOS3WXrzPdbjf8AXjUmZ/E3Yr+4XdP2kmDMGsW9hs/Vw
x2fXYfyBQQQMdKVnSVr3cMSPs+RhnSpPI1wsQUWnp0xZNez/9VkSDeINq8JFGXLB
5NgkQZ4+6UBBl2K/mtkVxZHnXi1y9ulvhaQ95jCTt7mzOUJrlq8NXWaEW1njtGAO
7Z6KBMn6PQkzx1k38TG6kPBN331fWWE2WhSimMkX1Q8jfI5f0PVPaQELPKieSf7x
G0zCfQ8aH0q4Kn0jsvvmP43mzCz3PbBwOpFZgPO0vcA5usXwFXGTJCKAhhCTy0CG
q9Sjxb8hLyEwg0vIrvzzlPj6g8mm6syW7Db4R4F3vW/ovCWgVdRFMhl0e/KX3nfG
MWSYq/x4wFj470/j5Ak7wz2y/GAiX9LiEwhFlEWL/SOevY9/u3l9dXIUbcYUG3mS
4dBpthU5eJc2vbdp+gtAPoJexxS9nZhCfbcNjV5HbdRHhn1dIaJhR3KYnqQU2wX2
CG2srHqTJ+3aW969nhHxgpiLmElmDlWHMNQmDDDaY9CDC2i3ZNdw4uBes4nRc7Xg
/1LQvx7pSnAidrQa6CcOjsf4usBQ6faO0zeuri9l6jwFDfwHiL/TuNzNxgmbR8BC
DgZJ/zI6FepuWKA4CV7t
=uz7D
-END PGP SIGNATURE-
[SECURITY] Oracle JVM bug causes denial of service in Apache Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The original report is [1]. Tomcat is affected when accessing a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() or javax.servlet.ServletRequest.getLocales(). Work-arounds have been implemented in the following versions: - - 7.0.8 (released) - - 6.0.32 (released) - - 5.5.33 (released expected Monday 7 Feb 2011) All users are recommended to upgrade to a Tomcat version with the work-around. Users unable to upgrade can filter malicious requests via a Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd reverse proxy) or other filtering as available. Accept-Language headers that are compliant with RFC 2616 can not trigger this bug. Therefore, filtering out all request with non-compliant headers will provide protection against the DOS vulnerability. The Apache Tomcat Security Team [1] http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNTLBnAAoJEBDAHFovYFnnk0IQAOB6xo9/wEqckNzq/MUxfxH8 c131gJ0XcMktGZ7x7A2/SgG/oIfl5B4q78EujtPwHsy8XS9XRKCdJtOz8Ak67zb7 z6UhB+ha2R0fgzJoesZeBiHyH4vymB8izF9npnDuFv+Gij7K08mu5bERMCNNQftc +/0a7I2QD/K5YoqkYW/1RLwWhrbAXmjE8ysmnTtgfemRxmGL971bx8+9+l9JmGpm unP+yVYpKNnGXNUSNuL9C0oka2iCzkrPW0UplZyyMsB2iiuKetYESL9KR1rEvxA6 OL4FmS0OxzyPO0UwXFd6qJxc6L2BaWLdhyu7Qp/WnWDFsPDdGa7J87i4WeMsNb2D GYk+9TNV4S2QOCK1dFuARvCY74QykuthBEUHmCJUOT5fUt3NtGXjMTvBTWZUGIbg Eqe5nfGxLB2ZcimWoYUKoYJe31/DY8lBFVPl4KVIUlcQ0RLjnE7JqbSey8ZrHZ4o FY9ZA74ndDUjEaJpwgRVHN6FO7Sts+wDPATYZVvO3lPb0pzwGTBFPAcSiysqbiJT njwUBWfz5e7cpXpHvCPyh0PGY6giHticXplhKsq9M/ZK1G6ZzFXbBwlACUfLGFK7 Pt4af26arAlcoapJ0PG8AXGPZLztzLVR1jaNBJ9900gIZ/OI5cmZ9n23l0viTtEf v/8kgZ+3uv6vRb3+wrXH =oxMp -END PGP SIGNATURE-
[SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0534 Apache Tomcat DoS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.6
- - Tomcat 6.0.0 to 6.0.30
Description:
Tomcat did not enforce the maxHttpHeaderSize limit while parsing the
request line in the NIO HTTP connector. A specially crafted request
could trigger an DoS via an OutOfMemoryError.
Example (AL2 licensed):
package bug50631;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
public class FloodClient1 {
static final int k_step = 10;
static byte[] value = new byte[k_step * 1024];
public static void main(String[] args) throws Exception {
int i = 0;
while (i value.length) {
value[i++] = 13;
}
SocketAddress addr = new InetSocketAddress(localhost, 8080);
Socket socket = new Socket();
socket.setSoTimeout(0);
socket.connect(addr, 0);
OutputStream os = socket.getOutputStream();
// InputStream is = socket.getInputStream();
int k = k_step;
int m = 0;
int k100 = 100;
while (m 2000) {
if (k = k100) {
k100 += 100;
System.out.print('.');
System.out.flush();
}
if (k = 1024) {
m++;
k -= 1024;
k100 = 100;
System.out.println( + m + Mb);
}
os.write(value);
os.flush();
Thread.sleep(1);
k+=k_step;
}
}
}
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to a Tomcat version where this issue is fixed
- - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector
Credit:
The issue was identified by the Tomcat security team.
References:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50631
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S
aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA
d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV
zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo
GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+
kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih
jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c
I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2
ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64
S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D
jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm
niulExg4qtuJplCbEw8k
=06CU
-END PGP SIGNATURE-
[SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
- Not affected in default configuration.
- Affected if CSRF protection is disabled
- Additional XSS issues if web applications are untrusted
- - Tomcat 6.0.12 to 6.0.29
- Affected in default configuration
- Additional XSS issues if web applications are untrusted
- - Tomcat 5.5.x
- Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.
Example:
GET
/manager/html/sessions?path=/sort=scriptalert('xss')/scriptorder=ASCaction=injectSessionsrefresh=Refresh+Sessions+list
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Ensure the CSRF protection is enabled
- Apply the patch 7.0.4 patch (see below)
- Update to 7.0.5 when released
- - Tomcat 6.0.12 to 6.0.29
- Remove the Manager application
- Remove the sessionList.jsp and sessionDetail.jsp files
- Apply the patch for 6.0.29 (see below)
- Update to 6.0.30 when released
No release date has been set for the next Tomcat 7.0.x and Tomcat 6.0.x
releases.
Credit:
The original issue was discovered by Adam Muntner of Gotham Digital Science.
Additional issues were identified by the Tomcat security team as a
result of reviewing the original issue.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
Note: The patches The Apache Tomcat Security Team
Patch for 6.0.29
Index: webapps/manager/WEB-INF/jsp/sessionDetail.jsp
===
- --- webapps/manager/WEB-INF/jsp/sessionDetail.jsp (revision 1037769)
+++ webapps/manager/WEB-INF/jsp/sessionDetail.jsp (working copy)
@@ -30,8 +30,10 @@
% String path = (String) request.getAttribute(path);
Session currentSession =
(Session)request.getAttribute(currentSession);
HttpSession currentHttpSession = currentSession.getSession();
- - String currentSessionId = currentSession.getId();
- - String submitUrl =
((HttpServletRequest)pageContext.getRequest()).getRequestURL().toString();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+ String submitUrl = JspHelper.escapeXml(
+ ((HttpServletRequest)
pageContext.getRequest()).getRequestURI() +
+ ?path= + path);
%
head
meta http-equiv=content-type content=text/html;
charset=iso-8859-1/
@@ -45,7 +47,7 @@
titleSessions Administration: details for %= currentSessionId
%/title
/head
body
- -h1Details for Session %= JspHelper.escapeXml(currentSessionId) %/h1
+h1Details for Session %= currentSessionId %/h1
table style=text-align: left; border=0
tr
@@ -54,7 +56,7 @@
/tr
tr
thGuessed Locale/th
- -td%= JspHelper.guessDisplayLocaleFromSession(currentSession)
%/td
+td%=
JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSession))
%/td
/tr
tr
thGuessed User/th
@@ -120,7 +122,7 @@
String attributeName = (String)
attributeNamesEnumeration.nextElement();
%
tr
- - td align=centerform action=%= submitUrl
%divinput
type=hidden name=path value=%= path % /input type=hidden
name=action value=removeSessionAttribute /input type=hidden
name=sessionId value=%= currentSessionId % /input type=hidden
name=attributeName value=%= attributeName % /input type=submit
value=Remove //div/form/td
+ td align=centerform action=%= submitUrl
%divinput
type=hidden name=action value=removeSessionAttribute /input
type=hidden name=sessionId value=%= currentSessionId % /input
type=hidden name=attributeName value=%=
JspHelper.escapeXml(attributeName) % /input type=submit
value=Remove //div/form/td
td%= JspHelper.escapeXml(attributeName) %/td
td% Object attributeValue =
currentHttpSession.getAttribute(attributeName); %span title=%=
attributeValue == null ? : attributeValue.getClass().toString()
%%= JspHelper.escapeXml(attributeValue) %/span/td
/tr
Index: webapps/manager/WEB-INF/jsp/sessionsList.jsp
[SECURITY] CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information Disclosure Vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.29 Tomcat 6.0.0 to 6.0.27 Tomcat 7.0.0 Note: 7.0.0 is still beta. Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be affected. Description: Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. Mitigation: - - Tomcat 5.5.x users should upgrade to 5.5.30 or apply this patch: http://svn.apache.org/viewvc?view=revisionrevision=959428 - - Tomcat 6.0.x users should upgrade to 6.0.28 or apply this patch: http://svn.apache.org/viewvc?view=revisionrevision=958977 - - Tomcat 7.0.x users should upgrade to 7.0.1 when released or apply this patch: http://svn.apache.org/viewvc?view=revisionrevision=958911 - - All users may mitigate this flaw by running Tomcat behind a reverse proxy (such as Apache httpd 2.2) that rejects invalid values for Transfer-Encoding. Credit: This issue was discovered by Steve Jones References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMN07EAAoJEBDAHFovYFnn8U4P/2wJuP+JYoqeIpPJwK7stqfd jKO01S999v9lnYpIfPXEaFgGXTedo7BYo4X+OTuR7OLiAR6DVa1PhVzDd4bzoeW3 sY9zbOiXEvM6Ps5eVPJuR9P4YVs8O6qeLA8UKWV28KIFX/N4hZ5KAAJTSdlP0DuB 2dLB8cWtldTJrYmLVXbG//1j4S/k/PfHU/+MpZRIs8GWUPOpCxrWyvg+rTQN2zWP iKsUzEEfXyoeHJmD/KM7OTbxfmL0HsUgeHPUBi4A6zPZt6e8614MZcr9FuwK4BBt +8lCrZhP9XgxbTqp2qMRtF49ObK2gWVav3o2uruaK6NDvGLrAjgvV+mCxKVx6yjl i9kL1K8S1FIO2eqTdVrQulega2NatYJxyG2ofDsb92+6mio/vLYKBxtI4bworQli Vf/EWmYCuueKrZzde6k+HWhy9cR8JFdws/EGZ5UUaMiVB5Rvk5jPHwBgJDUdnSqC 75HEQBTsowsVKLGuHSnIjkg4B0IiAT6COsOsTfXsUSUn8f95a40GTynE70xvL0Ii 17wr2aK3fC8z9XG3Grbx1s4KiIW41iPBDSh9I7WWSQ+hhq+VHsBKJoubQsWW4qVb sRuMx6kHTRq1DqEiTtAQFdMiE1oyDNB1ro99j44LH4azJvi5hS5S5R5QOyt9PshE x6KDdVdqZF3+d64YwjtE =KHN9 -END PGP SIGNATURE-
[SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-1157: Apache Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 6.0.0 to 6.0.26 - - Tomcat 5.5.0 to 5.5.29 Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be affected. Description: The WWW-Authenticate header for BASIC and DIGEST authentication includes a realm name. If a realm-name element is specified for the application in web.xml it will be used. However, a realm-name is not specified then Tomcat will generate one using the code snippet: request.getServerName() + : + request.getServerPort() In some circumstances this can expose the local hostname or IP address of the machine running Tomcat. Example: GET /application/j_security_check HTTP/1.0 HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 WWW-Authenticate: Basic realm=tomcat01:8080 Content-Type: text/html;charset=utf-8 Content-Length: 954 Date: Thu, 31 Dec 2009 12:18:11 GMT Connection: close Mitigation: Administrators of web applications that use BASIC or DIGEST authentication are recommended to set an appropriate realm name in the web application's web.xml file. Alternatively, the following patches may be used to change the default realm to Authentication required (without the quotes): - - Tomcat 6.0.x: http://svn.apache.org/viewvc?view=revrev=936540 - - Tomcat 5.5.x: http://svn.apache.org/viewvc?view=revrev=936541 These patches will be included in the next releases of Tomcat 5.5.x and Tomcat 6.0.x. No release date has been set for the next Tomcat 5.5.x and Tomcat 6.0.x releases. Credit: This issue was discovered by Deniz Cevik. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLz3o5AAoJEBDAHFovYFnn7NgP/jyjnqK98FfruhzL0eB/b748 7EYP8k//kbmq8SIYyDkHkmlGfDNE+epxLudgSLbwg8QJdNG50JHwjTzAcclPCyu6 jx3NuJVKxn8KloD3rmxhrIItLG/yQ50JP3tnNO3xC4pS4j8dzdrTS2lFPXxcna6e o9rMUwPLTEsLvNhd93sUIpdXuLhG9TP7dOeAD737ybvmRcz612igGyyT3hVUeGsK TvJ+uzZTLJi+Wz0UMRdseqsgp1OW2DeMyao67bPaUrbX9EfLA+yUfXV6TRByT4C5 S5BB3mTz8WBgWkscCmKB0mqmtiPfv7PxlRDfMyPAkFhezPAnL5UD4fSZ3Aes8rTO IF6CM/lWXm+eMECVwuIh7RdiPJtpe/1ZTQ2EtAQ/JZOIoDX2sKNF92opGeNiZPp9 P78tfksI23tLNJeDcJmL1a2L1yP8pcvAnd6AhYwZPc+LoZBKOsqEMMDU9CmbT3LY 2Fyn8h5yV9Fql9TR9J87aB9BDcQ5vqtdJ17qO20ur54SockI/oNi45tpDf76sJQB 0iOVY1MDu9J4c3xvtmWrdsAZF8VFDhW8nXdKOATh2cVQg/P4aELW2eyGUbiL5hLZ EWgiZRQWm815MqEwikbztMON4OipensBx1wNuKvj2VKs3VK8tkSuXigViOCTYo+c mm73gFAt6VWTF5sbfTuA =mtgX -END PGP SIGNATURE-
[SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650view=rev Note: the patches also address CVE-2009-2901 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: A WAR file that contains the following entry will overwrite the standard Windows start-up script when deployed on a default Tomcat installation: ../../bin/catalina.bat Credit: This issue was reported to the Apache Tomcat security team by Marc Schoenefeld of the Red Hat Security Response Team References: [1] http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI 6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+ ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1 Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL 7iN004jxhnUxQc8Fgwj4 =/B5h -END PGP SIGNATURE-
[SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR file names were not checked for directory traversal attempts. This allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2901. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: Deploying and undeploying a WAR named ...war causes the all files and subdirectories in work/engine name/host name to be removed. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGKAAoJEBDAHFovYFnnU3sP/2qKA+k8nmXoowqeUKfgTZyg EJAtLvuTHFViDFeA7tDrh18pMzWUfPCu/sU8qXaiY71Dw6Fa8zcJ1SksP/WB4jmN UDuSj9vm5INxjbANnniSpZ5+tfLukPz9I3vFIIpmT4xO2aGnbqTUWPmVb2Oitapp ePH35D0OldLIL8O4TmdTK5LPw/qufbvEtegTlryJeyO9kWvqmK54W2cs60i+txiD zwzoRJgmNd7e/DS8+jrGrSFgLiFQlEQraQ99OvvU9bi7DofEUA1HuxPV94Ck8oMc xbcNlAgSMuqc0PuIff68rXP3M/4M96j/BFRRLsAqUPfXBZQBZ6vc/uOVG2JriIQU psksw1zTf8pbUTtuY6EUry3SspTHWcMGJfoxtrXa0nVxGnTg5XI/joipbCbbcF6p 0npKt3IIEH6JYtZ2DbSO0w6QjFnCVV5v0mB1LrMQDy0SzfcYf6G0MnmD6hLYNsdz 83TRgicGCfcSqZdiZDJ2Kngwnjl/oHYx2A1SVOc4q0NoIlFnzF9qMqiLM5hM87LT 3FaFsDmeFwhUxo4JRGAFA+ft1UrYufCvCQy+ZW6fxPIW2Qz9aEq63MDVojdd2yf7 Z9JApNAiO6q1cJukOaworJiv1cbcZHp0SaWDJQIo4VFT2APD2DFU79vCseIusX4e jcy9btzWclss+2hAA/XQ =kJa8 -END PGP SIGNATURE-
[SECURITY] CVE-2009-2901 Apache Tomcat insecure partial deploy after failed undeploy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-2901: Apache Tomcat insecure partial deploy after failed undeploy Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: By default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually ensuring that an undeploy removes all files. If one or more files cannot be deleted, it may be necessary to stop Tomcat before the files can be deleted. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGYAAoJEBDAHFovYFnnwXgP/RAhAkPwPP9R3S5xM/mtZj+l cQacLI/8FdPOluVUIYNuPP2ti3v2STJyhUMOYVMQIpf7Why4fFiLaIOLZWDS04Gb UfTQfcFIQlh69h3xQBgkEeSHNegxGLRvl8sLrhLTmaLug4qn8JW81sZnO+9PejmD CgZKCq2ALqIvNmEU7nZTz/5xzll88O+b8P5UQqDGM9r1Z8fO8oCUood1n2hVdZAb PoLn7CKqMtb2psGvYWqYDNeB5mRVhHnqUdtQzQy3Sy6C8YBxkmm9HWOZjoAvjMaa X4N5THNyhXwdfNo9r6CClEiaQM6AK+jRl8SyeNiGNgNHT3Knhn9ANVUcRomRXgJm dsKKz0wBN/zVp7ux5FLlK9O/a7VNniYMFRwg71Na9KQY6/oRlxpOU9zgWqI9Co9V LD8g0EWliabOCv3nREDYqwrJq75ffS5TwK8mqWNlW/0gszDex34kVqnS06hMY1HT OK5Ip1cYhUZLlcfwkmN6tBxBozCteO/Nrfh6HEahc0MXVJXbZxDXLvWtDNSrBMSY Hqt9suXYom1rCxtFdBDtgXctAnB4UrADRxC4w/e7kZ+v3MRMtzl1UG/6cJDQtQ9f Iwt51lECjIW6LqEpSIMTs/v5h9ueSPhY/n7GWNloSqCUgA0XL5sw5lYkGsMmS4Sh dkab23FgmsfqGqZYUGzv =vcr6 -END PGP SIGNATURE-
[SECURITY] UPDATED CVE-2008-5515 RequestDispatcher directory traversal vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Updated to add additional patches required for 5.5.x and 4.1.x CVE-2008-5515: Apache Tomcat information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.20 or apply this patch: http://svn.apache.org/viewvc?view=revrevision=734734 5.5.x users should upgrade to 5.5.28 when released or apply these patches: http://svn.apache.org/viewvc?view=revrevision=782757 http://svn.apache.org/viewvc?view=revrevision=783291 4.1.x users should upgrade to 4.1.40 when released or apply these patches: http://svn.apache.org/viewvc?view=revrevision=782763 http://svn.apache.org/viewvc?view=revrevision=783292 Example: For a page that contains: % request.getRequestDispatcher( bar.jsp?somepar=somevalpar= + request.getParameter( blah ) ).forward( request, response ); % an attacker can use: http://host/page.jsp?blah=/../WEB-INF/web.xml Credit: This issue was discovered by Iida Minehiko, Fujitsu Limited References: http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkovmMwACgkQb7IeiTPGAkNPigCcDBEKxwuBoXnvixbqoqM8CIaN VKYAni4kHySG2JmbYi1hz4xAGpgm36Gr =7FT9 -END PGP SIGNATURE-
[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-5515: Apache Tomcat information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.20 or apply this patch: http://svn.apache.org/viewvc?view=revrevision=734734 5.5.x users should upgrade to 5.5.28 when released or apply this patch: http://svn.apache.org/viewvc?view=revrevision=782757 4.1.x users should upgrade to 4.1.40 when released or apply this patch: http://svn.apache.org/viewvc?view=revrevision=782763 Example: For a page that contains: % request.getRequestDispatcher( bar.jsp?somepar=somevalpar= + request.getParameter( blah ) ).forward( request, response ); % an attacker can use: http://host/page.jsp?blah=/../WEB-INF/web.xml Credit: This issue was discovered by Iida Minehiko, Fujitsu Limited References: http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkotiBQACgkQb7IeiTPGAkMi6QCgnlzEt/7byUJo2YXGHMLj2ckH rF8AoK8dmpZcxd5pV9VvEaPqm4xhXJPO =bDV5 -END PGP SIGNATURE-
[SECURITY] CVE-2009-0580 UPDATED Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Updated to clarify affected versions as they vary for each affected Realm. CVE-2009-0580: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: MemoryRealm: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 DataSourceRealm: Tomcat 4.1.17 to 4.1.31 Tomcat 5.5.0 to 5.5.5 JDBCRealm: Tomcat 4.1.0 to 4.1.31 Tomcat 5.5.0 to 5.5.5 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected. Description: Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. The attack is possible if form based authenticiaton (j_security_check) with one of the following authentication realms is used: * MemoryRealm * DataSourceRealm * JDBCRealm Mitigation: 6.0.x users should do one of the following: - upgrade to 6.0.20 - apply this patch http://svn.apache.org/viewvc?rev=747840view=rev 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply this patch http://svn.apache.org/viewvc?rev=781379view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781382view=rev Example: The following POST request should trigger an error (500 server error or empty response, depending on the configuration) if the ROOT web application is configured to use FORM authentication: POST /j_security_check HTTP/1.1 Host: localhost j_username=tomcatj_password=% Credit: This issue was discovered by D. Matscheko and T. Hackner of SEC Consult. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoo/a0ACgkQb7IeiTPGAkOwBgCgg32bOh5/3FWwmg+qnazFuJLy UGAAnjGl3psau6THn7UDBjpHfSG8LZ4a =SIJ6 -END PGP SIGNATURE-
[SECURITY] CVE-2009-0783 Apache Tomcat Information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-0783: Apache Tomcat information disclosure vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 6.0.0 to 6.0.18 Tomcat 5.5.0 to 5.5.27 Tomcat 4.1.0 to 4.1.39 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected. Description: Bugs https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files. If a web application is the first web application loaded, these bugs allow that web application to potentially view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance. Mitigation: 6.0.x users should do one of the following: - upgrade to 6.0.20 - apply these patches - http://svn.apache.org/viewvc?rev=739522view=rev - http://svn.apache.org/viewvc?rev=652592view=rev 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply these patches - http://svn.apache.org/viewvc?rev=781542view=rev - http://svn.apache.org/viewvc?rev=681156view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781708view=rev Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an example web application that can be used to replace the XML parser used by Tomcat. Credit: The security implications of these bugs was discovered and reported to the Apache Software Foundation by Philippe Prados. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkonw6EACgkQb7IeiTPGAkM8qACgyxH+hBK4r4DprZhIqd97x/V1 /7EAnRMaJsKIoPzBQgOtOhM3vOCtyL+F =B+Gu -END PGP SIGNATURE-
[SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-0580: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected. Description: Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. The attack is possible if form based authenticiaton (j_security_check) with one of the following authentication realms is used: * MemoryRealm * DataSourceRealm * JDBCRealm Mitigation: 6.0.x users should do one of the following: - upgrade to 6.0.20 - apply this patch http://svn.apache.org/viewvc?rev=747840view=rev 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply this patch http://svn.apache.org/viewvc?rev=781379view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781382view=rev Example: The following POST request should trigger an error (500 server error or empty response, depending on the configuration) if the ROOT web application is configured to use FORM authentication: POST /j_security_check HTTP/1.1 Host: localhost j_username=tomcatj_password=% Credit: This issue was discovered by D. Matscheko and T. Hackner of SEC Consult. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkommckACgkQb7IeiTPGAkP75ACg7XYuld/25X2ltLLTeeQx88UB pFgAn1f6mIpzU7QUnjF4lsHcR+6lY67B =a0AC -END PGP SIGNATURE-
CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
Severity: Low
Vendor: SpringSource
Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6
JDK)
Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with
exponential compilation times, when using optional groups. A workaround [3] was
implemented in 1.4.2_06 but the root cause of poor performance in regex
processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited
readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven
application with spring.jar in its classpath accepts serializable data, an
attacker could use a long regex string with many optional groups to consume
enormous CPU resources. And, with a few requests all listeners will be occupied
with compiling regex expressions forever.
Mitigation:
* Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for
the root cause
* Spring Framework 2.5.6.SEC01 has been released for Community users that
includes a workaround to the root cause - see[4] for upgrade steps
* Spring Framework 2.5.6.SR02 is available for Enterprise users that includes a
workaround to the root cause; The software can be found in the Customer Portal
[5]
* Disable functionality that accepts serializable data from untrusted sources
* Spring Framework 3.0.0.M3 will be released shortly that includes a workaround
to the root cause
* dm Server 1.0.2 Community users may replace the Spring Framework 2.5.6 jar
with 2.5.6.SEC01 - see[4] for upgrade steps
* dm Server 1.0.3 that includes a workaround to the root cause will be released
shortly
* Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the
root cause will be released by April 27, 2009
Example:
public class DoSSpring {
static byte[] getSerialized(Object o) throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(o);
oos.flush();
oos.close();
return baos.toByteArray();
}
public static void main(String[] a) throws Exception{
String thePattern=(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y) +
?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K) +
?(W)?(I)?(U)?(a)?$;
String longerPattern =
thePattern.substring(0,thePattern.length()-1)+thePattern;
int length = longerPattern.length();
String fakePattern = longerPattern.replaceAll(., A);
JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();
jrmp.setPattern(fakePattern);
System.out.println(jrmp);
byte[] theArray = getSerialized(jrmp);
int i = 0;
for (; i theArray.length;i++) {
if (((char)theArray[i])=='A' ((char)theArray[i+1]=='A')) {
break;
}
}
System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);
ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
ObjectInputStream ois = new ObjectInputStream(bis);
Object o = ois.readObject(); // returns after a very very long time
}
}
Credit:
This issue was discovered by the RedHat Security Response Team
References:
[1]
http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html
[4] http://www.springsource.com/securityadvisory
[5] http://www.springsource.com/spring_account_file
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAknxfZcACgkQb7IeiTPGAkMX0gCdGsE5fqOd0PcMdcYrLTwyejGp
4p0An1Dwr9T+WsCwytVrztkskexVw84T
=zBj5
-END PGP SIGNATURE-
[SECURITY] CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vulnerability announcement: CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: mod_jk 1.2.0 to 1.2.26 Description: Situations where faulty clients set Content-Length without providing data, or where a user submits repeated requests very quickly may permit one user to view the response associated with a different user's request. Mitigation: Upgrade to mod_jk 1.2.27 or later Example: See description Credit: This issue was discovered by the Red Hat Security Response Team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-jk.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ27rAb7IeiTPGAkMRAlsDAJ9qqKPiFnh+rxaxzMZmKIFA5Q5r5QCg2N84 OzL54gpA6e272kokWjK4wZU= =GKVO -END PGP SIGNATURE-
[SECURITY] CVE-2009-0781 XSS in Apache Tomcat examples web application
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2009-0781: Apache Tomcat cross-site scripting vulnerability
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39
Description:
The calendar application in the examples contains invalid HTML which
renders the XSS protection for the time parameter ineffective. An
attacker can therefore perform an XSS attack using the time attribute.
Mitigation:
6.0.x users should do one of the following:
- remove the examples web application
- apply this patch http://svn.apache.org/viewvc?rev=750924view=rev
- upgrade to 6.0.19 when released
5.5.x users should do one of the following:
- remove the examples web application
- apply this patch http://svn.apache.org/viewvc?rev=750928view=rev
- upgrade to 5.5.28 when released
4.1.x users should do one of the following:
- remove the examples web application
- apply this patch http://svn.apache.org/viewvc?rev=750927view=rev
- upgrade to 4.1.40 when released
Example:
http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS')});
Credit:
This issue was discovered by Deniz Cevik.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
The Apache Tomcat Security Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJsUexb7IeiTPGAkMRAnQkAKDSvIKgXQTCEOdYo0T1Ms0ze07qWQCgh2Af
7M0rD3B+d5vu90/ode27FLI=
=Y8kB
-END PGP SIGNATURE-
[SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-4308: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.32 to 4.1.34 Tomcat 5.5.10 to 5.5.20 Tomcat 6.0.x is not affected The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Note: Although this vulnerability affects relatively old versions of Apache Tomcat, it was only discovered and reported to the Apache Tomcat Security team in October 2008. Publication of this issue was then postponed until now at the request of the reporter. Description: Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may result in the disclosure of POSTed content from a previous request. For a vulnerability to exist the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the ArrayIndexOutOfBoundsException occurs which will halt processing of the request. Mitigation: Upgrade to: 4.1.35 or later 5.5.21 or later 6.0.0 or later Example: See original bug report for example of how to create the error condition. Credit: This issue was discovered by Fujitsu and reported to the Tomcat Security Team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM U3IdbfYNVtRIzCW5XTvhv2E= =rJGg -END PGP SIGNATURE-
Re: [Full-disclosure] Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
Eduardo Vela wrote: Probably one of this are the vulnerabilty descriptions of the bugs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4017 Looks to be an exact match with http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 Note that although initially reported as a Tomcat vulnerability, the root cause is a JVM bug. Mark If it's the same issue, Oracle didn't contacted me to notify me about it.. if it is that bug, then it could be fixed via: https://support.bea.com/application_content/product_portlets/securityadvisories/2810.html or in that case http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html Greetings!! -- Eduardo http://www.sirdarckcat.net/ On Mon, Jan 19, 2009 at 10:56 PM, Eduardo Vela sirdarck...@gmail.comwrote: Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 Explaination: The %c0%ae%c0%ae is interpreted as: .. because on Java's side: %c0%ae is interpreted as: \uC0AE that get's casted to an ASCII-LOW char, that is: .. You can read dangerous configuration information including passwords, users, paths, etc.. Discovered: 8/16/08 Vendor contacted: 8/16/08 Vendor response: 8/18/08 Vendor reproduced the issue: 9/10/08 Vendor last contact: 9/30/08 Public Disclosure: 1/19/09 Oracle security bug id: 7391479 For more information contact Oracle Security Team: secalert...@oracle.com I really wanted to give a link to a patch, but I think it's better if this is known by sysadmins so they can filter this using an IDS. Greetings!! -- Eduardo http://www.sirdarckcat.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Update 2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2 Severity: Important Vendor: Multiple (was The Apache Software Foundation) Versions Affected: Various Description (new information): This vulnerability was originally reported to the Apache Software Foundation as a Tomcat vulnerability. Investigations quickly identified that the root cause was an issue with the UTF-8 charset implementation within the JVM. The issue existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and Apache. It was decided to continue to report this as a Tomcat vulnerability until such time as the JVM vendors had released fixed versions. Unfortunately, the release of fixed JVMs and associated vulnerability disclosure has not been co-ordinated. There has been some confusion within the user community as to the nature and root cause of CVE-2008-2938. Therefore, the Apache Tomcat Security Team is issuing this update to clarify the situation. Mitigation: Contact your JVM vendor for further information. Tomcat users may upgrade as follows to a Tomcat version that contains a workaround: 6.0.x users should upgrade to 6.0.18 5.5.x users should upgrade to 5.5.27 4.1.x users should upgrade to 4.1.39 Credit: This additional information was discovered by the Apache security team. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklKflkACgkQb7IeiTPGAkPEqwCg5WiCeyaGrUbP/PTIhqF8TGZt DcsAoJIx+NnKCCAk2JxGftVZbxxPrWGl =JALs -END PGP SIGNATURE-
[SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-3271: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.31 Tomcat 5.5.0 Tomcat 6.0.x is not affected The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can, in very rare circumstances, permit a user from a non-permitted IP address to gain access to a context protected with a valve that extends RemoteFilterValve. Mitigation: Upgrade to: 4.1.32 or later 5.5.1 or later 6.0.0 or later Example: This has only been reproduced using a debugger to force a particular processing sequence across two threads. 1. Set a breakpoint right after the place where a value is to be entered in the instance variable of regexp (search:org.apache.regexp.CharacterIterator). 2. Send a request from the IP address* which is not permitted. (stopped at the breakpoint) *About the IP address which is not permitted. The character strings length of the IP address which is set in RemoteAddrValve must be same. 3. Send a request from the IP address which was set in RemoteAddrValve. (stopped at the breakpoint) In this way, the instance variable is to be overwritten here. 4. Resume the thread which is processing the step 2 above. 5. The request from the not permitted IP address will succeed. Credit: This issue was discovered by Kenichi Tsukamoto (Development Dept. II, Application Management Middleware Div., FUJITSU LIMITED) and reported to the Tomcat security team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj =9Z/F -END PGP SIGNATURE-
[SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Updated
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated Severity: Important (was moderate) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description (new information): Further investigation of CVE-2008-2938 has shown that the vulnerability also exists only with URIEncoding=UTF-8 set on the connector. In these configurations arbitrary files in the docBase for an application, including files such as web.xml, may be disclosed. Users should also be aware that this vulnerability will apply when processing requests with UTF-8 body encoding and useBodyEncodingForURI=true Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should upgrade to 5.5.27 4.1.x users should obtain the latest source from svn or apply this patch: http://svn.apache.org/viewvc?view=revrevision=681065 Example: http://www.target.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml Credit: This additional information was discovered by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8 CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ =Fi0E -END PGP SIGNATURE-
[CVE-2008-2370] Apache Tomcat information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-2370: Apache Tomcat information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should obtain the latest source from svn or apply this patch which will be included from 5.5.27 http://svn.apache.org/viewvc?rev=680949view=rev 4.1.x users should obtain the latest source from svn or apply this patch which will be included from 4.1.38 http://svn.apache.org/viewvc?rev=680950view=rev Example: For a page that contains: % pageContext.forward(/page2.jsp?somepar=somevalpar=+request.getParameter(blah)); % an attacker can use: http://host/page.jsp?blah=/../WEB-INF/web.xml Credit: This issue was discovered by Stefano Di Paola of Minded Security Research Labs. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiTGGkACgkQb7IeiTPGAkNeQACdHk1KQ98Dx45Sc+Hslw/YIBH7 8b4An1WZ30LS34Pxx4Rc+VzqhswLLbZd =Zbvc -END PGP SIGNATURE-
[CVE-2008-1232] Apache Tomcat XSS vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2008-1232: Apache Tomcat XSS vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of HTTP
response. This may include characters that are illegal in HTTP headers. It
is possible for a specially crafted message to result in arbitrary content
being injected into the HTTP response. For a successful XSS attack,
unfiltered user supplied data must be included in the message argument.
Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947view=rev
4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680947view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948view=rev
Example:
[EMAIL PROTECTED] contentType=text/html%
%
~ // some unicode characters, that result in CRLF being printed
~ final String CRLF = \u010D\u010A;
~ final String payload = CRLF + CRLF + script
type='text/javascript'document.write('Hi, there!')/scriptdiv
style='display:none';
~ final String message = Authorization is required to access + payload;
~ response.sendError(403, message);
%
Credit:
This issue was discovered by Konstantin Kolinko.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiTGFsACgkQb7IeiTPGAkNG6ACfY+P91mt1/h06Q8c5foCJldFp
9B8An2OvenCD+3nWbLazp6Th+lxWgL7f
=lTUT
-END PGP SIGNATURE-
[SECURITY] CVE-2008-1947: Tomcat host-manager XSS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-1947: Tomcat host-manager XSS vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.9 to 5.5.26 Tomcat 6.0.0 to 6.0.16 This issue has been fixed in the source repositories for each version and will be included in 5.5.27 and 6.0.17. It is anticipated that these versions will be released shortly. Description: The user supplied hostname attribute is not filtered before being included in the output. Mitigation: Do not visit untrusted sites whilst logged in to the host-manager application and log out (close the browser) once finished with the host-manager. Example: Assume that after logged in, the victim was lead to the malicious web server with following file installed. form action=http://localhost:8080/host-manager/html/add; method=get ~ INPUT TYPE=hidden NAME='name' VALUE=scriptalert()/script ~ INPUT TYPE=hidden NAME='aliases' VALUE=somealias ~ input type=submit /form Credit: These issues were discovered by Petr Splichal of RedHat. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhEahEACgkQb7IeiTPGAkOQggCgirNfHSCkMDhcEzG6Ig1N0WzP qesAoKXePHeBKaB0VzeBoowW5kvZpBQx =4nQe -END PGP SIGNATURE-
[SECURITY] CVE-2007-5333: Tomcat Cookie handling vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-5333: Tomcat Cookie handling vulnerabilities Severity: low - Session hi-jacking Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.36 Tomcat 5.5.0 to 5.5.25 Tomcat 6.0.0 to 6.0.14 Description: The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value. Mitigation: 6.0.x users should upgrade to Tomcat 6.0.16 or later 5.5.x users should upgrade to Tomcat 5.5.26 or later 4.1.x users should build from the latest svn source Examples: +++ GET /myapp/MyCookies HTTP/1.1 Host: localhost Cookie: name=val ue Cookie: name1=moi +++ http://example:8080/examples/servlets/servlet/CookieExample?cookiename=testcookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B Credit: The quotes issue was reported by John Kew. The %5C issue was reported by Ishikawa Yoshihiro via JPCERT/CC. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrONyb7IeiTPGAkMRAgKrAJwIX1fbtGT7iualwzRK8BDi+QRAkQCg3cMo 58hTHdwJzeFxLXgkLRQwBKk= =Dnsp -END PGP SIGNATURE-
[SECURITY] CVE-2007-6286: Tomcat duplicate request processing vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-6286: Tomcat duplicate request processing vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.11 to 5.5.25 Tomcat 6.0.0 to 6.0.15 Description: When using the native (APR based) connector, connecting to the SSL port using netcat and then disconnecting without sending any data will cause tomcat to handle a duplicate copy of one of the recent requests. Mitigation: 6.0.x users should upgrade to 6.0.16 which includes version 1.1.12 of the native connector. 5.5.x users should upgrade to 5.5.26 which includes version 1.1.12 of the native connector. Example: See description. Credit: This issue was discovered by System Core (http://www.systemcore.ca/). References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrOcwb7IeiTPGAkMRAq+NAJ45EswKdmWWGfG8r1pr+8TMXzBHCgCePkK0 SYpXhEieSJHQcsO/rxN0ylY= =JK4t -END PGP SIGNATURE-
CVE-2008-0002: Tomcat information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-0002: Tomcat information disclosure vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: Tomcat 6.0.5 to 6.0.15 Description: If an exception occurs during the processing of parameters (eg if the client disconnects) then it is possible that the parameters submitted for that request will be incorrectly processed as part of a following request. Mitigation: 6.0.x users should upgrade to 6.0.16 or later. Example: See description. Credit: This issue was discovered by Chitrapandian N of AdventNet Inc. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrNaZb7IeiTPGAkMRAgRxAKCjiAu1kTbKcE4mo0azKvtakl3u/wCcD8Vk S5EZi3e+Da7+99Jkxb/jzn8= =rUWc -END PGP SIGNATURE-
Re: Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Apache Tomcat/4.1.31 ships with built in examples. One of the example calendar.jsp suffers from input validation error and could be exploited for cross site scriptingand cross site request forgery. This is CVE-2006-7196 which is fixed in 4.1.32 5.5.16. Kind regards, Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG3finb7IeiTPGAkMRApxAAJ9sMCfco8GUEe9LcqbcA+5GE0AKCQCgsEG+ nH4eUojS1ccH9YKtma/GtQU= =3NtA -END PGP SIGNATURE-
CVE-2007-3382: Handling of cookies containing a ' character
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2007-3382: Handling of cookies containing a ' character
Severity:
Low (Session Hi-jacking)
Vendor:
The Apache Software Foundation
Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24
5.0.0 to 5.0.30
4.1.0 to 4.1.36
3.3 to 3.3.2
Description:
Tomcat incorrectly treats a single quote character (') in a cookie
value as a delimiter. In some circumstances this can lead to the
leaking of information such as session ID to an attacker.
Mitigation:
Upgrade to 6.0.14
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
http://localost:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKERcookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B
References:
http://tomcat.apache.org/security.html
Mark Thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwSFVb7IeiTPGAkMRAjkwAKDnu+C08WRZazmZfzunFeHcitsvnACg3CtP
6c6FCxbFOcfxhqqayg8kdUI=
=MkDj
-END PGP SIGNATURE-
CVE-2007-3385: Handling of \ in cookies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-3385: Handling of \ in cookies Severity: Low (Session Hi-jacking) Vendor: The Apache Software Foundation Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 5.0.0 to 5.0.30 4.1.0 to 4.1.36 3.3 to 3.3.2 Description: Tomcat incorrectly handles the character sequence \ in a cookie value. In some circumstances this can lead to the leaking of information such as session ID to an attacker. Mitigation: Upgrade to 6.0.14 Credit: This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing and Networking Center, who worked with the CERT/CC to report the vulnerability. Example: http://localhost:8080/examples/servlets/servlet/CookieExample?cookiename=HAHAcookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B References: http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwSFlb7IeiTPGAkMRArdPAJ99AXYzSterU7oG+u8UrtQAd2lTZwCbBK2R hwRixKaYOwWyj5kD+fLT1ls= =hgTP -END PGP SIGNATURE-
CVE-2007-3386: XSS in Host Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-3386: XSS in Host Manager Severity: Low (Cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 Description: The Host Manager Servlet does not filter user supplied data before display. This enables an XSS attack. Mitigation: Log out (close browser) of the Host Manager application once admin tasks are complete Upgrade to 6.0.14 Credit: This issue was discovered by the NTT OSS CENTER who worked with the JPCERT/CC to report the vulnerability. Example: form action=http://localhost:8080/host-manager/html/add; method=get input type=hidden NAME='name' VALUE=aaa input type=hidden NAME='aliases' VALUE=scriptalert()/script input type=submit /form References: http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwSFyb7IeiTPGAkMRAlgMAKCe0hS+c6so9pxK3KfN7LggWv+3uQCfUsAg 95+vMfHDJlrKHP/yKUZ0SYc= =1pQc -END PGP SIGNATURE-
CVE-2007-3384: XSS in Tomcat cookies example
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2007-3384: XSS in Tomcat cookies example
Severity:
Low (Cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
3.3 to 3.3.2
Description:
When reporting error messages, Tomcat does not filter user supplied
data before display. This enables an XSS attack.
Mitigation:
Remove examples web application.
Apply patch available from http://tomcat.apache.org/download-33.cgi
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
http://localhost:8080/examples/servlet/CookieExample
populate Name or Value field with:
scriptalert('XSS reflected');/script
and submit.
References:
http://tomcat.apache.org/security.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGsU0Vb7IeiTPGAkMRAoiwAJ4iETiZnDPLKM0v69YZ/FaIhGS8GwCgt+ux
FB0O3FigwHs+A8pP98+gRiA=
=VePF
-END PGP SIGNATURE-
CVE-2007-3383: XSS in Tomcat send mail example
CVE-2007-3383: XSS in Tomcat send mail example
Severity:
Low (Cross-site scripting)
Vendor:
The Apache Software Foundation
Versions Affected:
4.0.0 to 4.0.6
4.1.0 to 4.1.36
Description:
When reporting error messages, the SendMailServlet does not filter
user supplied data before display. This enables an XSS attack.
Mitigation:
Undeploy the examples web application.
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
On this page
http://localhost:8080/examples/jsp/mail/sendmail.jsp
enter the following text
scriptalert('XSS reflected')/script
in the From field and click Send.
References:
http://tomcat.apache.org/security.html
Mark Thomas
[CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language header processing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-1358: Apache Tomcat XSS vulnerability in Accept-Language header processing Severity: Low (cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.34 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.20 Tomcat 6.0.0 to 6.0.5 Description: Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. Tomcat now ignores invalid values for Accept-Language headers that do not conform to RFC 2616. Mitigation: 1. Upgrade to fixed version 2. Escape values obtained from Accept-Language header before use. Credit: This issue was reported by Masato Anzai and Toshiharu Sugiyama. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdxWMb7IeiTPGAkMRAgDgAJkBG6sVBDP/8yxGrZ7CqvEXPNW1mACgiL8M CyWgpvE5125qciTSYPJbOgU= =A84r -END PGP SIGNATURE-
[CVE-2007-2450]: Apache Tomcat XSS vulnerability in Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-2450: Apache Tomcat XSS vulnerabilities in Manager Severity: low (cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.36 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.24 Tomcat 6.0.0 to 6.0.13 Description: The Manager and Host Manager web applications do not escape some user provided data before including it in the output. This enables a XSS attack. The user must be logged in to the Manager or Host Manager web application. Mitigation: 1. Log out of the Manager or Host Manager application (close the browser) once tasks requiring use of the manager have been completed. Example: form action=http://example.com:8080/manager/html/upload; method=post enctype=multipart/form-data INPUT TYPE=hidden NAME='deployWar;filename=scriptalert()/script Content-Type: image/gif' VALUE=abc input type=submit /form Credit: These issues were discovered by Daiki Fukumori, Secure Sky Technology. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGcKdkb7IeiTPGAkMRAt1IAKCR47H3juKSvEdGwymOMCpKZdXi8wCgvrzl aQy4/FihDqtrwRDLl0f/asA= =RGcQ -END PGP SIGNATURE-
[CVE-2007-2449] Apache Tomcat XSS vulnerabilities in the JSP examples
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-2449: Apache Tomcat XSS vulnerabilities in the JSP examples Severity: low (cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.36 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.24 Tomcat 6.0.0 to 6.0.13 Description: The JSP examples web application displays does not escape some user provided data before including it in the output. This enables a XSS attack. Mitigation: 1. Undeploy the examples web application(s). Example: http://host:port/jsp-examples/snp/snoop.jsp;scriptalert()/scripttest.jsp Credit: These issues were discovered by an unknown security researcher and reported to JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGcKbJb7IeiTPGAkMRAi9BAKDsuoomGh2n9BYl7mT/tGEjQ+HIlQCdHjnU zdreMwViLR/bDBnys5YkhPk= =SK7+ -END PGP SIGNATURE-
[CVE-2007-1355] Tomcat documentation XSS vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-1355: Tomcat documentation XSS vulnerabilities Severity: Moderate (Cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.36 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.23 Tomcat 6.0.0 to 6.0.10 Description: The Tomcat documentation web application includes a sample application that contains multiple XSS vulnerabilities. Mitigation: Undeploy the Tomcat documentation web application. Credit: These issues were discovered by Ferruh Mavituna. Example: http://server/tomcat-docs/appdev/sample/web/hello.jsp?test=scriptalert(document.domain)/script References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTxLXb7IeiTPGAkMRAhPzAKDxibK3Cn9Dq+2ZrlhZszmwPAJufACfdvjv AH8zWtQXPUbBVgDS+6KoNOE= =/6Zd -END PGP SIGNATURE-
