Return-Path: 
 <announce-return-71-apmail-tomcat-announce-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-announce-archive@minotaur.apache.org
Delivered-To: apmail-tomcat-announce-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E46399731
	for <apmail-tomcat-announce-archive@minotaur.apache.org>;
 Tue, 17 Jan 2012 11:35:26 +0000 (UTC)
Received: (qmail 69288 invoked by uid 500); 17 Jan 2012 11:35:24 -0000
Delivered-To: apmail-tomcat-announce-archive@tomcat.apache.org
Received: (qmail 69249 invoked by uid 500); 17 Jan 2012 11:35:22 -0000
Mailing-List: contact announce-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@tomcat.apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@tomcat.apache.org>
List-Post: <mailto:announce@tomcat.apache.org>
List-Id: <announce.tomcat.apache.org>
Reply-To: announce@tomcat.apache.org
Delivered-To: mailing list announce@tomcat.apache.org
Delivered-To: moderator for announce@tomcat.apache.org
Received: (qmail 59921 invoked by uid 99); 17 Jan 2012 11:35:00 -0000
Message-ID: <4F155CDC.8050804@apache.org>
Date: Tue, 17 Jan 2012 11:34:52 +0000
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64;
 rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
CC: Tomcat Announce List <announce@tomcat.apache.org>,
 announce@apache.org, Tomcat Developers List <dev@tomcat.apache.org>,
 full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [SECURITY] CVE-2011-3375 Apache Tomcat Information disclosure
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

CVE-2011-3375 Apache Tomcat Information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.21
- Tomcat 6.0.30 to 6.0.33
- Earlier versions are not affected

Description:
For performance reasons, information parsed from a request is often
cached in two places: the internal request object and the internal
processor object. These objects are not recycled at exactly the same time.
When certain errors occur that needed to be added to the access log, the
access logging process triggers the re-population of the request object
after it has been recycled. However, the request object was not recycled
before being used for the next request. That lead to information leakage
(e.g. remote IP address, HTTP headers) from the previous request to the
next request.
The issue was resolved be ensuring that the request and response objects
were recycled after being re-populated to generate the necessary access
log entries.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.22 or later
- Tomcat 6.0.x users should upgrade to 6.0.35 or later

Credit:
The issue was initially reported via Apache Tomcat's public issue
tracker with the potential security implications identified by the
Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=51872