tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nambo.k...@oss.ntt.co.jp
Subject Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Date Thu, 05 Mar 2009 08:24:24 GMT
Hi, Mark.

> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
I checked Tomcat 5.0.x source code and I've found that 
org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included.
Does this mean Tomcat 5.0.x is not affected by this vulnerability?

Advice, please.
Kazu Nambo


From: markt@apache.org
Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Date: Wed, 25 Feb 2009 23:17:37 +0000

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> CVE-2008-4308: Tomcat information disclosure vulnerability
> 
> Severity: Low
> 
> Vendor:
> The Apache Software Foundation
> 
> Versions Affected:
> Tomcat 4.1.32 to 4.1.34
> Tomcat 5.5.10 to 5.5.20
> Tomcat 6.0.x is not affected
> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
> 
> Note: Although this vulnerability affects relatively old versions of
> Apache Tomcat, it was only discovered and reported to the Apache Tomcat
> Security team in October 2008. Publication of this issue was then
> postponed until now at the request of the reporter.
> 
> Description:
> Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
> result in the disclosure of POSTed content from a previous request. For
> a vulnerability to exist the content read from the input stream must be
> disclosed, eg via writing it to the response and committing the
> response, before the ArrayIndexOutOfBoundsException occurs which will
> halt processing of the request.
> 
> Mitigation:
> Upgrade to:
> 4.1.35 or later
> 5.5.21 or later
> 6.0.0 or later
> 
> Example:
> See original bug report for example of how to create the error condition.
> 
> Credit:
> This issue was discovered by Fujitsu and reported to the Tomcat Security
> Team via JPCERT.
> 
> References:
> http://tomcat.apache.org/security.html
> 
> Mark Thomas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM
> U3IdbfYNVtRIzCW5XTvhv2E=
> =rJGg
> -----END PGP SIGNATURE-----
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message