Re: CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow
2016-10-07 18:02 GMT+03:00 Markus Koschany: > Hello, > > the recent security announcement for Apache Tomcat JK (CVE-2016-6808) > mentions that only IIS/ISAPI specific code is vulnerable. This issue was > apparently fixed in [1]. The vulnerable code is in the > map_uri_to_worker_ext function which is used by the IIS, Apache 1.3 and > Apache 2.0 implementations. > > Could someone clarify why the official security announcement only > mentions IIS and not all three servers? Are users who use Apache Tomcat > JK with Apache 2.x affected by CVE-2016-6808? > > Regards, > > Markus > > > [1] https://svn.apache.org/viewvc?view=revision=1762057 Quoting from announcement: [q] The IIS/ISAPI specific code implements special handling when a virtual host is present. The virtual host name and the URI are concatenated to create a virtual host mapping rule. The length checks prior to writing to the target buffer for this rule did not take account of the length of the virtual host name, creating the potential for a buffer overflow. It is not known if this overflow is exploitable. [/q] The issue is caused by incorrect handling of vhost argument of the map_uri_to_worker_ext function. In case of Apache HTTPD server the value of vhost argument is always NULL, thus vhost_len = 0. and those servers are not affected. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow
Hello, the recent security announcement for Apache Tomcat JK (CVE-2016-6808) mentions that only IIS/ISAPI specific code is vulnerable. This issue was apparently fixed in [1]. The vulnerable code is in the map_uri_to_worker_ext function which is used by the IIS, Apache 1.3 and Apache 2.0 implementations. Could someone clarify why the official security announcement only mentions IIS and not all three servers? Are users who use Apache Tomcat JK with Apache 2.x affected by CVE-2016-6808? Regards, Markus [1] https://svn.apache.org/viewvc?view=revision=1762057 signature.asc Description: OpenPGP digital signature
[SECURITY] CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow
CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.41 Description The IIS/ISAPI specific code implements special handling when a virtual host is present. The virtual host name and the URI are concatenated to create a virtual host mapping rule. The length checks prior to writing to the target buffer for this rule did not take account of the length of the virtual host name, creating the potential for a buffer overflow. It is not known if this overflow is exploitable. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat JK ISAPI Connector 1.2.42 - Where available, use IIS configuration to restrict the maximum URI length to 4095 - (the length of the longest virtual host name) Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-jk.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org