tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [SECURITY] CVE-2011-2526 Apache Tomcat Information disclosure and availability vulnerabilities
Date Wed, 13 Jul 2011 16:14:51 GMT
Hash: SHA1


Great catch to all who were involved in discovery and mitigation of this

Since the APR flavor of this vulnerability uses native code to crash the
JVM and/or read files without asking the SecurityManager for permission,
does that mean that the APR SSL configuration could be similarly
attacked by specifying certificate file, etc. paths that shouldn't be
allowed by the SecurityManager?

I don't think there's a disclosure here (specifying /etc/passwd for a
certificate file doesn't dump /etc/passwd) but there might be
opportunities for a JVM crash.

- -chris

On 7/13/2011 11:33 AM, Mark Thomas wrote:
> CVE-2011-2526: Apache Tomcat Information disclosure and availability 
> vulnerabilities
> Severity: low
> Vendor: The Apache Software Foundation
> Versions Affected: Tomcat 7.0.0 to 7.0.18 Tomcat 6.0.0 to 6.0.32 
> Tomcat 5.5.0 to 5.0.33 Previous, unsupported versions may be
> affected Additionally, these vulnerabilities only occur when all of
> the following are true: a) untrusted web applications are being used 
> b) the SecurityManager is used to limit the untrusted web
> applications c) the HTTP NIO or HTTP APR connector is used d)
> sendfile is enabled for the connector (this is the default)
> Description: Tomcat provides support for sendfile with the HTTP NIO
> and HTTP APR connectors. sendfile is used automatically for content
> served via the DefaultServlet and deployed web applications may use
> it directly via setting request attributes. These request attributes
> were not validated. When running under a security manager, this lack
> of validation allowed a malicious web application to do one or more
> of the following that would normally be prevented by a security
> manager: a) return files to users that the security manager should
> make inaccessible b) terminate (via a crash) the JVM
> Mitigation: Affected users of all versions can mitigate these
> vulnerabilities by taking any of the following actions: a) undeploy
> untrusted web applications b) switch to the HTTP BIO connector (which
> does not support sendfile) c) disable sendfile be setting
> useSendfile="false" on the connector d) apply the patch(es) listed on
> the Tomcat security pages (see references) e) upgrade to a version
> where the vulnerabilities have been fixed Tomcat 7.0.x users may
> upgrade to 7.0.19 or later once released Tomcat 6.0.x users may
> upgrade to 6.0.33 or later once released Tomcat 5.5.x users may
> upgrade to 5.5.34 or later once released
> Example: Exposing the first 1000 bytes of /etc/passwd 
> HttpServletRequest.setAttribute( 
> "org.apache.tomcat.sendfile.filename","/etc/passwd"); 
> HttpServletRequest.setAttribute( 
> "org.apache.tomcat.sendfile.start",Long.valueOf(0)); 
> HttpServletRequest.setAttribute( 
> "org.apache.tomcat.sendfile.end",Long.valueOf(1000)); Specifying a
> end point after the end of the file will trigger a JVM crash with the
> HTTP APR connector and an infinite loop with the HTTP NIO connector.
> Credit: These issues were identified by the Tomcat security team.
> References: 
> The Apache Tomcat Security Team
> ---------------------------------------------------------------------
To unsubscribe, e-mail:
> For additional commands, e-mail:
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message