Topic : | Apache Tomcat information disclosure
|
SecurityAlert : 4396
CVE : CVE-2008-3271
CWE : CWE-264
SecurityRisk : Low (About)
Remote Exploit : Yes
Local Exploit : No
Victim interaction required : No
Exploit Available : No
Credit : Mark Thomas
Published : 14.10.2008
Affected Software : | apache:tomcat:4.1.12
apache:tomcat:4.1.11
apache:tomcat:4.1.0
apache:tomcat:4.1.16
apache:tomcat:4.1.14
apache:tomcat:4.1.13
apache:tomcat:4.1.15
apache:tomcat:4.1.1
apache:tomcat:4.1.10
apache:tomcat:4.1.25
apache:tomcat:4.1.23
apache:tomcat:4.1.24
apache:tomcat:4.1.22
apache:tomcat:4.1.17
apache:tomcat:4.1.21
apache:tomcat:4.1.2
apache:tomcat:4.1.20
apache:tomcat:4.1.19
apache:tomcat:4.1.18
apache:tomcat:4.1.26
apache:tomcat:4.1.27
apache:tomcat:4.1.28
apache:tomcat:4.1.29
apache:tomcat:4.1.3
apache:tomcat:4.1.3:beta
apache:tomcat:4.1.30
apache:tomcat:4.1.31
apache:tomcat:4.1.4
apache:tomcat:4.1.5
apache:tomcat:4.1.6
apache:tomcat:4.1.7
apache:tomcat:4.1.8
apache:tomcat:4.1.9
apache:tomcat:5.5.0 |
 Advisory Content : -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2008-3271: Tomcat information disclosure vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.31
Tomcat 5.5.0
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can,
in very rare circumstances, permit a user from a non-permitted IP address
to gain access to a context protected with a valve that extends
RemoteFilterValve.
Mitigation:
Upgrade to:
4.1.32 or later
5.5.1 or later
6.0.0 or later
Example:
This has only been reproduced using a debugger to force a particular
processing sequence across two threads.
1. Set a breakpoint right after the place where a value
is to be entered in the instance variable of regexp
(search:org.apache.regexp.CharacterIterator).
2. Send a request from the IP address* which is not permitted.
(stopped at the breakpoint)
*About the IP address which is not permitted.
The character strings length of the IP address which is set
in RemoteAddrValve must be same.
3. Send a request from the IP address which was set in
RemoteAddrValve.
(stopped at the breakpoint)
In this way, the instance variable is to be overwritten here.
4. Resume the thread which is processing the step 2 above.
5. The request from the not permitted IP address will succeed.
Credit:
This issue was discovered by Kenichi Tsukamoto (Development Dept. II,
Application Management Middleware Div., FUJITSU LIMITED) and reported to
the Tomcat security team via JPCERT.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt
OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj
=9Z/F
-----END PGP SIGNATURE-----
References :
https://issues.apache.org/bugzilla/show_bug.cgi?id=25835
http://www.securityfocus.com/bid/31698
http://www.securityfocus.com/archive/1/archive/1/497220/100/0/threaded
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
http://secunia.com/advisories/32234
http://jvn.jp/en/jp/JVN30732239/index.html
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|