tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "BARRON, HAROLD H CTR DISA EE" <harold.barron....@disa.mil>
Subject Apache Tomcat 5.5.34 Question (UNCLASSIFIED)
Date Wed, 21 Sep 2011 18:32:23 GMT
Classification:  UNCLASSIFIED 
Caveats: NONE


Team,


	Since Tomcat 5.5.34 has not been made available for the current
Apache Tomcat Injection Vulnerability=20
(IAVA 2011-B-0114), is there a workaround for this problem until the
patch is out. This software is being used on a Windows 2003 Server and
the current problem is stated below:

Executive Summary:=20
Apache Software Foundation has addressed a vulnerability affecting
various versions of Apache Tomcat.  Apache Tomcat is an open source
software implementation of the Java Servlet and JavaServer Pages
technologies.  To exploit this vulnerability, a remote attacker would
create and send a malicious request to an affected system.  If
successfully exploited, this vulnerability would allow a remote attacker
to bypass security restrictions and obtain access to sensitive
information.

Technical Overview:
Apache Tomcat AJP Protocol Security Bypass and Information Disclosure
Vulnerability - (CVE-2011-3190):
Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
Tomcat that includes the first part (or possibly all) of the request
body. In certain circumstances, Tomcat did not process this message as a
request body but as a new request. This permitted an attacker to have
full control over the AJP message permitting authentication bypass and
information disclosure.=20

	Again, is there a workaround or a temporary mitigation process
that anyone knows of that can be implemented until that patch is made
available for download. Thanks


Harold Barron

Classification:  UNCLASSIFIED=20
Caveats: NONE

Classification:  UNCLASSIFIED 
Caveats: NONE


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message