From users-return-192276-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Wed Feb 25 23:18:33 2009 Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 16172 invoked from network); 25 Feb 2009 23:18:33 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 25 Feb 2009 23:18:33 -0000 Received: (qmail 87632 invoked by uid 500); 25 Feb 2009 23:18:20 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 87577 invoked by uid 500); 25 Feb 2009 23:18:20 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 87547 invoked by uid 99); 25 Feb 2009 23:18:20 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Feb 2009 15:18:20 -0800 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [193.252.22.152] (HELO smtp5.freeserve.com) (193.252.22.152) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Feb 2009 23:18:11 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3421.me.freeserve.com (SMTP Server) with ESMTP id 5BADB1C00084; Thu, 26 Feb 2009 00:17:49 +0100 (CET) Received: from smtp.homeinbox.net (unknown [91.109.138.90]) by mwinf3421.me.freeserve.com (SMTP Server) with ESMTP id 284DA1C00082; Thu, 26 Feb 2009 00:17:49 +0100 (CET) X-ME-UUID: 20090225231749165.284DA1C00082@mwinf3421.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by smtp.homeinbox.net (Postfix) with ESMTP id 96B811A4948; Wed, 25 Feb 2009 23:17:50 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from smtp.homeinbox.net ([127.0.0.1]) by localhost (server01.dev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKa9dU0+nFbJ; Wed, 25 Feb 2009 23:17:47 +0000 (GMT) Received: from [192.168.0.9] (study03.dev.local [192.168.0.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.homeinbox.net (Postfix) with ESMTPSA id 57A001A4382; Wed, 25 Feb 2009 23:17:47 +0000 (GMT) Message-ID: <49A5D191.5050501@apache.org> Date: Wed, 25 Feb 2009 23:17:37 +0000 From: Mark Thomas User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Tomcat Users List , Tomcat Developers List , bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-4308: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.32 to 4.1.34 Tomcat 5.5.10 to 5.5.20 Tomcat 6.0.x is not affected The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Note: Although this vulnerability affects relatively old versions of Apache Tomcat, it was only discovered and reported to the Apache Tomcat Security team in October 2008. Publication of this issue was then postponed until now at the request of the reporter. Description: Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may result in the disclosure of POSTed content from a previous request. For a vulnerability to exist the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the ArrayIndexOutOfBoundsException occurs which will halt processing of the request. Mitigation: Upgrade to: 4.1.35 or later 5.5.21 or later 6.0.0 or later Example: See original bug report for example of how to create the error condition. Credit: This issue was discovered by Fujitsu and reported to the Tomcat Security Team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM U3IdbfYNVtRIzCW5XTvhv2E= =rJGg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org