tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian" <bbprefix-m...@yahoo.com>
Subject JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Sun, 10 Oct 2010 19:32:29 GMT
Hi,

 

I'm using Tomcat 6.0.29.

In my site, I'm using a security certificate from
<http://www.securitymetrics.com> www.securitymetrics.com, which has been
invalidated today argumenting the following reason:

 

 

Description: JRun JSESSIONID weakness Severity: Potential Problem CVE:
CVE-2004-1478
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1478>
CVE-2004-2182
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2182>  Impact:
Several vulnerabilities in JRun server could allow an intruder to view
arbitrary files, execute arbitrary code, or list directories on the server.
Background: JRun is a Java application server from Macromedia. It runs on
both Unix and Windows NT/2000 systems, and can act as a standalone server or
connect with Apache, IIS or Netscape web servers. ColdFusion is a web
application development Solution which can run with or without a web
application server. Resolution For JRun 2.3.3, apply the patches referenced
in Macromedia Product Security Bulletins
[http://www.adobe.com/devnet/security/se curity_zone/asb00-28.html
<http://www.adobe.com/devnet/security/security_zone/asb00-28.html> ] 00-28
and [http://www.adobe.com/devnet/security/se curity_zone/asb00-29.html
<http://www.adobe.com/devnet/security/security_zone/asb00-29.html> ] 00-29.
For JRun 3.0 and 3.1, install the cumulative patch referenced in Macromedia
Product Security Bulletin [http://www.adobe.com/devnet/security/se
curity_zone/mpsb04-08.html
<http://www.adobe.com/devnet/security/security_zone/mpsb04-08.html> ] 04-08.
For JRun 4.0, install the cumulative patch referenced in Macromedia Product
Security Bulletin [http://www.adobe.com/devnet/security/se
curity_zone/mpsb05-13.html
<http://www.adobe.com/devnet/security/security_zone/mpsb05-13.html> ] 05-13
and the patches in Adobe Product Security Bulletin
[http://www.adobe.com/support/security/b ulletins/apsb07-05.html
<http://www.adobe.com/support/security/bulletins/apsb07-05.html> ] 07-05 and
[http://www.adobe.com/support/security/b ulletins/apsb09-12.html
<http://www.adobe.com/support/security/bulletins/apsb09-12.html> ] 09-12.
For ColdFusion MX 6.0 and 6.1, install the patch referenced in Macromedia
Product Security Bulletin [http://www.adobe.com/devnet/security/se
curity_zone/mpsb04-09.html
<http://www.adobe.com/devnet/security/security_zone/mpsb04-09.html> ] 04-09
and the patch in Adobe Product Security Bulletin
[http://www.adobe.com/support/security/b ulletins/apsb07-05.html
<http://www.adobe.com/support/security/bulletins/apsb07-05.html> ] 07-05.
Bulletins can be found in the [http://www.adobe.com/support/security/ ]
Macromedia Security Zone. Vulnerability Details: Service: http [More] 



 

I'm not using Jrun, but I guess the vulnerability applies also to Tomcat
6.0.29 so they treated me as if I was using Jrun with that vulnerability.

 

Does anybody know what should I do to solve this now?

I guess they are talking about this issue (please read issue # 2):
http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc
at-7-The-New-and-the-Improved.htm

 

Brian


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message