You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mg...@apache.org on 2020/02/03 09:51:13 UTC
svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/
Modified: tomcat/site/trunk/docs/security-jk.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1873527&r1=1873526&r2=1873527&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Mon Feb 3 09:51:13 2020
@@ -1,289 +1,290 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
<html lang="en">
-<head>
-<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link href="res/css/tomcat.css" rel="stylesheet" type="text/css">
-<link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css">
-<title>Apache Tomcat® - Apache Tomcat JK Connectors vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project">
-</head>
-<body>
-<div id="wrapper">
-<header id="header">
-<div class="clearfix">
-<div class="menu-toggler pull-left" tabindex="1">
-<div class="hamburger"></div>
-</div>
-<a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a>
-<h1 class="pull-left">Apache Tomcat<sup>®</sup>
-</h1>
-<div class="asf-logos pull-right">
-<a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a>
-</div>
-</div>
-</header>
-<main id="middle">
-<div>
-<div id="mainLeft">
-<div id="nav-wrapper">
-<form action="https://www.google.com/search" method="get">
-<div class="searchbox">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input aria-label="Search text" placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button>
-</div>
-</form>
-<div class="asfevents">
-<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png" alt="Next ASF event"><br>
- Save the date!
+ <head>
+ <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+ <link href="res/css/tomcat.css" rel="stylesheet" type="text/css">
+ <link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css">
+ <title>Apache Tomcat® - Apache Tomcat JK Connectors vulnerabilities</title>
+ <meta name="author" content="Apache Tomcat Project">
+ </head>
+ <body>
+ <div id="wrapper">
+ <header id="header">
+ <div class="clearfix">
+ <div class="menu-toggler pull-left" tabindex="1">
+ <div class="hamburger"></div>
+ </div>
+ <a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a>
+ <h1 class="pull-left">
+ Apache Tomcat<sup>®</sup>
+ </h1>
+ <div class="asf-logos pull-right">
+ <a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a>
+ </div>
+ </div>
+ </header>
+ <main id="middle">
+ <div>
+ <div id="mainLeft">
+ <div id="nav-wrapper">
+ <form action="https://www.google.com/search" method="get">
+ <div class="searchbox">
+ <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input aria-label="Search text" placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button>
+ </div>
+ </form>
+ <div class="asfevents">
+ <a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png" alt="Next ASF event">
+ <br>
+ Save the date!
</a>
-</div>
-<nav>
-<div>
-<h2>Apache Tomcat</h2>
-<ul>
-<li>
-<a href="./index.html">Home</a>
-</li>
-<li>
-<a href="./taglibs.html">Taglibs</a>
-</li>
-<li>
-<a href="./maven-plugin.html">Maven Plugin</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Download</h2>
-<ul>
-<li>
-<a href="./whichversion.html">Which version?</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a>
-</li>
-<li>
-<a href="https://archive.apache.org/dist/tomcat/">Archives</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Documentation</h2>
-<ul>
-<li>
-<a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a>
-</li>
-<li>
-<a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a>
-</li>
-<li>
-<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
-</li>
-<li>
-<a href="./connectors-doc/">Tomcat Connectors</a>
-</li>
-<li>
-<a href="./native-doc/">Tomcat Native</a>
-</li>
-<li>
-<a href="https://cwiki.apache.org/confluence/display/TOMCAT">Wiki</a>
-</li>
-<li>
-<a href="./migration.html">Migration Guide</a>
-</li>
-<li>
-<a href="./presentations.html">Presentations</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Problems?</h2>
-<ul>
-<li>
-<a href="./security.html">Security Reports</a>
-</li>
-<li>
-<a href="./findhelp.html">Find help</a>
-</li>
-<li>
-<a href="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ">FAQ</a>
-</li>
-<li>
-<a href="./lists.html">Mailing Lists</a>
-</li>
-<li>
-<a href="./bugreport.html">Bug Database</a>
-</li>
-<li>
-<a href="./irc.html">IRC</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Get Involved</h2>
-<ul>
-<li>
-<a href="./getinvolved.html">Overview</a>
-</li>
-<li>
-<a href="./source.html">Source code</a>
-</li>
-<li>
-<a href="./ci.html">Buildbot</a>
-</li>
-<li>
-<a href="https://cwiki.apache.org/confluence/x/vIPzBQ">Translations</a>
-</li>
-<li>
-<a href="./tools.html">Tools</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Media</h2>
-<ul>
-<li>
-<a href="https://twitter.com/theapachetomcat">Twitter</a>
-</li>
-<li>
-<a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a>
-</li>
-<li>
-<a href="https://blogs.apache.org/tomcat/">Blog</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Misc</h2>
-<ul>
-<li>
-<a href="./whoweare.html">Who We Are</a>
-</li>
-<li>
-<a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a>
-</li>
-<li>
-<a href="./heritage.html">Heritage</a>
-</li>
-<li>
-<a href="http://www.apache.org">Apache Home</a>
-</li>
-<li>
-<a href="./resources.html">Resources</a>
-</li>
-<li>
-<a href="./contact.html">Contact</a>
-</li>
-<li>
-<a href="./legal.html">Legal</a>
-</li>
-<li>
-<a href="https://www.apache.org/foundation/contributing.html">Support Apache</a>
-</li>
-<li>
-<a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
-</li>
-<li>
-<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
-</li>
-<li>
-<a href="http://www.apache.org/licenses/">License</a>
-</li>
-</ul>
-</div>
-</nav>
-</div>
-</div>
-<div id="mainRight">
-<div id="content">
-<h2 style="display: none;">Content</h2>
-<h3 id="Table_of_Contents">Table of Contents</h3>
-<div class="text">
-
-<ul>
-<li>
-<a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</a>
-</li>
-</ul>
-
-</div>
-<h3 id="Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</h3>
-<div class="text">
-
-<p>This page lists all security vulnerabilities fixed in released versions
+ </div>
+ <nav>
+ <div>
+ <h2>Apache Tomcat</h2>
+ <ul>
+ <li>
+ <a href="./index.html">Home</a>
+ </li>
+ <li>
+ <a href="./taglibs.html">Taglibs</a>
+ </li>
+ <li>
+ <a href="./maven-plugin.html">Maven Plugin</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Download</h2>
+ <ul>
+ <li>
+ <a href="./whichversion.html">Which version?</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a>
+ </li>
+ <li>
+ <a href="https://archive.apache.org/dist/tomcat/">Archives</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Documentation</h2>
+ <ul>
+ <li>
+ <a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a>
+ </li>
+ <li>
+ <a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a>
+ </li>
+ <li>
+ <a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
+ </li>
+ <li>
+ <a href="./connectors-doc/">Tomcat Connectors</a>
+ </li>
+ <li>
+ <a href="./native-doc/">Tomcat Native</a>
+ </li>
+ <li>
+ <a href="https://cwiki.apache.org/confluence/display/TOMCAT">Wiki</a>
+ </li>
+ <li>
+ <a href="./migration.html">Migration Guide</a>
+ </li>
+ <li>
+ <a href="./presentations.html">Presentations</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Problems?</h2>
+ <ul>
+ <li>
+ <a href="./security.html">Security Reports</a>
+ </li>
+ <li>
+ <a href="./findhelp.html">Find help</a>
+ </li>
+ <li>
+ <a href="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ">FAQ</a>
+ </li>
+ <li>
+ <a href="./lists.html">Mailing Lists</a>
+ </li>
+ <li>
+ <a href="./bugreport.html">Bug Database</a>
+ </li>
+ <li>
+ <a href="./irc.html">IRC</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Get Involved</h2>
+ <ul>
+ <li>
+ <a href="./getinvolved.html">Overview</a>
+ </li>
+ <li>
+ <a href="./source.html">Source code</a>
+ </li>
+ <li>
+ <a href="./ci.html">Buildbot</a>
+ </li>
+ <li>
+ <a href="https://cwiki.apache.org/confluence/x/vIPzBQ">Translations</a>
+ </li>
+ <li>
+ <a href="./tools.html">Tools</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Media</h2>
+ <ul>
+ <li>
+ <a href="https://twitter.com/theapachetomcat">Twitter</a>
+ </li>
+ <li>
+ <a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a>
+ </li>
+ <li>
+ <a href="https://blogs.apache.org/tomcat/">Blog</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Misc</h2>
+ <ul>
+ <li>
+ <a href="./whoweare.html">Who We Are</a>
+ </li>
+ <li>
+ <a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a>
+ </li>
+ <li>
+ <a href="./heritage.html">Heritage</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org">Apache Home</a>
+ </li>
+ <li>
+ <a href="./resources.html">Resources</a>
+ </li>
+ <li>
+ <a href="./contact.html">Contact</a>
+ </li>
+ <li>
+ <a href="./legal.html">Legal</a>
+ </li>
+ <li>
+ <a href="https://www.apache.org/foundation/contributing.html">Support Apache</a>
+ </li>
+ <li>
+ <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/">License</a>
+ </li>
+ </ul>
+ </div>
+ </nav>
+ </div>
+ </div>
+ <div id="mainRight">
+ <div id="content">
+ <h2 style="display: none;">Content</h2>
+ <h3 id="Table_of_Contents">Table of Contents</h3>
+ <div class="text">
+
+ <ul>
+ <li>
+ <a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</a>
+ </li>
+ </ul>
+
+ </div>
+ <h3 id="Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</h3>
+ <div class="text">
+
+ <p>
+ This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat Jk Connectors. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat JK
Connectors the flaw is known to affect, and where a flaw has not been
- verified list the version with a question mark.</p>
-
-
-<p>This page has been created from a review of the Apache Tomcat archives
+ verified list the version with a question mark.
+ </p>
+
+ <p>
+ This page has been created from a review of the Apache Tomcat archives
and the CVE list. Please send comments or corrections for these
vulnerabilities to the <a href="security.html">Tomcat
- Security Team</a>.</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</h3>
-<div class="text">
-
-
-<p>
-<i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
+ Security Team</a>.
+ </p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</h3>
+ <div class="text">
+
+ <p>
+ <i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
but the release vote for the 1.2.45 release candidate did not pass.
Therefore, although users must download 1.2.46 to obtain a version that
includes the fix for this issue, version 1.2.45 is not included in the
list of affected versions.</i>
-</p>
-
-
-<p>
-<strong>Important: Information disclosure</strong>
+ </p>
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759" rel="nofollow">CVE-2018-11759</a>
-</p>
-
-
-<p>The Apache Web Server (httpd) specific code that normalised the requested
+ </p>
+
+ <p>The Apache Web Server (httpd) specific code that normalised the requested
path before matching it to the URI-worker map did not handle some edge
cases correctly. If only a sub-set of the URLs supported by Tomcat were
exposed via httpd, then it was possible for a specially constructed
@@ -293,9 +294,9 @@
specially constructed request to bypass the access controls configured in
httpd. While there is some overlap between this issue and CVE-2018-1323,
they are not identical.</p>
-
-
-<p>This was fixed in revisions <a href="https://svn.apache.org/viewvc?view=rev&rev=1838836">1838836</a>,
+
+ <p>
+ This was fixed in revisions <a href="https://svn.apache.org/viewvc?view=rev&rev=1838836">1838836</a>,
<a href="https://svn.apache.org/viewvc?view=rev&rev=1838857">1838857</a>,
<a href="https://svn.apache.org/viewvc?view=rev&rev=1838871">1838871</a>,
<a href="https://svn.apache.org/viewvc?view=rev&rev=1838882">1838882</a>,
@@ -312,145 +313,137 @@
<a href="https://svn.apache.org/viewvc?view=rev&rev=1840604">1840604</a>,
<a href="https://svn.apache.org/viewvc?view=rev&rev=1840610">1840610</a>,
<a href="https://svn.apache.org/viewvc?view=rev&rev=1840629">1840629</a> and
- <a href="https://svn.apache.org/viewvc?view=rev&rev=1841463">1841463</a>.</p>
-
-
-<p>Affects: JK 1.2.0-1.2.44</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</h3>
-<div class="text">
-
-
-<p>
-<strong>Important: Information disclosure</strong>
+ <a href="https://svn.apache.org/viewvc?view=rev&rev=1841463">1841463</a>.
+ </p>
+
+ <p>Affects: JK 1.2.0-1.2.44</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</h3>
+ <div class="text">
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1323" rel="nofollow">CVE-2018-1323</a>
-</p>
-
-
-<p>The IIS/ISAPI specific code that normalised the requested path before
+ </p>
+
+ <p>The IIS/ISAPI specific code that normalised the requested path before
matching it to the URI-worker map did not handle some edge cases
correctly. If only a sub-set of the URLs supported by Tomcat were exposed
via IIS, then it was possible for a specially constructed request to
expose application functionality through the reverse proxy that was not
intended for clients accessing the application via the reverse proxy.</p>
-
-
-<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1825658">revision 1825658</a>.</p>
-
-
-<p>Affects: JK 1.2.0-1.2.42</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</h3>
-<div class="text">
-
-
-<p>
-<strong>Moderate: Buffer Overflow</strong>
+
+ <p>
+ This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1825658">revision 1825658</a>.
+ </p>
+
+ <p>Affects: JK 1.2.0-1.2.42</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</h3>
+ <div class="text">
+
+ <p>
+ <strong>Moderate: Buffer Overflow</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6808" rel="nofollow">CVE-2016-6808</a>
-</p>
-
-
-<p>The IIS/ISAPI specific code implements special handling when a virtual
+ </p>
+
+ <p>The IIS/ISAPI specific code implements special handling when a virtual
host is present. The virtual host name and the URI are concatenated to
create a virtual host mapping rule. The length checks prior to writing
to the target buffer for this rule did not take account of the length of
the virtual host name, creating the potential for a buffer overflow.</p>
-
-
-<p>It is not known if this overflow is exploitable.</p>
-
-
-<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1762057">revision 1762057</a>.</p>
-
-
-<p>Affects: JK 1.2.0-1.2.41</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</h3>
-<div class="text">
-
-
-<p>
-<strong>Important: Information disclosure</strong>
+
+ <p>It is not known if this overflow is exploitable.</p>
+
+ <p>
+ This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1762057">revision 1762057</a>.
+ </p>
+
+ <p>Affects: JK 1.2.0-1.2.41</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</h3>
+ <div class="text">
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111" rel="nofollow">CVE-2014-8111</a>
-</p>
-
-
-<p>Multiple adjacent slashes in a request URI were not collapsed to a single
+ </p>
+
+ <p>
+ Multiple adjacent slashes in a request URI were not collapsed to a single
slash before comparing the request URI to the configured mount and
unmount patterns. It is therefore possible for an attacker to use a
request URI containing multiple adjacent slashes to bypass the
restrictions of a <code>JkUnmount</code> directive. This may expose
application functionality through the reverse proxy that is not intended
- for clients accessing the application via the reverse proxy.</p>
-
-
-<p>As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is
+ for clients accessing the application via the reverse proxy.
+ </p>
+
+ <p>
+ As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is
now configurable via a new <code>JkOption</code> for httpd (values
<code>CollapseSlashesAll</code>, <code>CollapseSlashesNone</code> or
<code>CollapseSlashesUnmount</code>) and via a new property
<code>collapse_slashes</code> for IIS (values <code>all</code>,
- <code>none</code>, <code>unmount</code>).</p>
-
-
-<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1647017">revision 1647017</a>.</p>
-
-
-<p>Affects: JK 1.2.0-1.2.40</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</h3>
-<div class="text">
-
-<p>
-<strong>Important: Information disclosure</strong>
+ <code>none</code>, <code>unmount</code>).
+ </p>
+
+ <p>
+ This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1647017">revision 1647017</a>.
+ </p>
+
+ <p>Affects: JK 1.2.0-1.2.40</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</h3>
+ <div class="text">
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519" rel="nofollow">CVE-2008-5519</a>
-</p>
-
-
-<p>Situations where faulty clients set Content-Length without providing
+ </p>
+
+ <p>Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly, may permit
one user to view the response associated with a different user's request.
</p>
-
-
-<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=702540">revision 702540</a>.</p>
-
-
-<p>Affects: JK 1.2.0-1.2.26<br>
- Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
- 5.5.0-5.5.27</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</h3>
-<div class="text">
-
-<p>
-<strong>Important: Information disclosure</strong>
+
+ <p>
+ This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=702540">revision 702540</a>.
+ </p>
+
+ <p>
+ Affects: JK 1.2.0-1.2.26
+ <br>
+ Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+ 5.5.0-5.5.27
+ </p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</h3>
+ <div class="text">
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a>
-</p>
-
-
-<p>The issue is related to
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>, the patch for which was insufficient.</p>
-
-
-<p>When multiple components (firewalls, caches, proxies and Tomcat)
+ </p>
+
+ <p>
+ The issue is related to
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>, the patch for which was insufficient.
+ </p>
+
+ <p>When multiple components (firewalls, caches, proxies and Tomcat)
process a request, the request URL should not get decoded multiple times
in an iterative way by these components. Otherwise it might be possible
to pass access control rules implemented on front of the last component
by applying multiple URL encoding to the request.
</p>
-
-
-<p>mod_jk before version 1.2.23 by default decoded request URLs inside Apache
+
+ <p>mod_jk before version 1.2.23 by default decoded request URLs inside Apache
httpd and forwarded the encoded URL to Tomcat, which itself did a second
decoding. This made it possible to pass a prefix JkMount for /someapp,
but actually access /otherapp on Tomcat. Starting with version 1.2.23
@@ -458,75 +451,79 @@
You can achieve the same level of security for older versions by setting
the forwarding option "JkOption ForwardURICompatUnparsed".
</p>
-
-
-<p>Please note, that your configuration might contain a different forwarding
+
+ <p>
+ Please note, that your configuration might contain a different forwarding
JkOption. In this case, please consult the
<a href="http://tomcat.apache.org/connectors-doc/reference/apache.html#Forwarding">
forwarding documentation</a> concerning the security implications.
The new default setting is more secure than before, but it breaks
interoperability with mod_rewrite.
- </p>
-
-
-<p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br>
- Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
- 5.5.0-5.5.23</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</h3>
-<div class="text">
-
-<p>
-<strong>Critical: Arbitrary code execution and denial of service</strong>
+
+ </p>
+
+ <p>
+ Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)
+ <br>
+ Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+ 5.5.0-5.5.23
+ </p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</h3>
+ <div class="text">
+
+ <p>
+ <strong>Critical: Arbitrary code execution and denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774" rel="nofollow">CVE-2007-0774</a>
-</p>
-
-
-<p>An unsafe memory copy in the URI handler for the native JK connector
+ </p>
+
+ <p>An unsafe memory copy in the URI handler for the native JK connector
could result in a stack overflow condition which could be leveraged to
execute arbitrary code or crash the web server.</p>
-
-
-<p>Affects: JK 1.2.19-1.2.20<br>
- Source shipped with: Tomcat 4.1.34, 5.5.20</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</h3>
-<div class="text">
-
-<p>
-<strong>Important: Information disclosure</strong>
+
+ <p>
+ Affects: JK 1.2.19-1.2.20
+ <br>
+ Source shipped with: Tomcat 4.1.34, 5.5.20
+ </p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</h3>
+ <div class="text">
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7197" rel="nofollow">CVE-2006-7197</a>
-</p>
-
-
-<p>The Tomcat AJP connector contained a bug that sometimes set a too long
+ </p>
+
+ <p>The Tomcat AJP connector contained a bug that sometimes set a too long
length for the chunks delivered by send_body_chunks AJP messages. Bugs of
this type can cause mod_jk to read beyond buffer boundaries and thus
reveal sensitive memory information to a client.</p>
-
+
+ <p>
+ Affects: JK 1.2.0-1.2.15
+ <br>
+ Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30,
+ 5.5.0-5.5.16
+ </p>
+
+ </div>
+ </div>
+ </div>
+ </div>
+ </main>
+ <footer id="footer">
+ Copyright © 1999-2020, The Apache Software Foundation
-<p>Affects: JK 1.2.0-1.2.15<br>
- Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30,
- 5.5.0-5.5.16</p>
-
-
-</div>
-</div>
-</div>
-</div>
-</main>
-<footer id="footer">
- Copyright © 1999-2020, The Apache Software Foundation
- <br>
- Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
+ <br>
+ Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
project logo are either registered trademarks or trademarks of the Apache
Software Foundation.
- </footer>
-</div>
-<script src="res/js/tomcat.js"></script>
-</body>
+
+ </footer>
+ </div>
+ <script src="res/js/tomcat.js"></script>
+ </body>
</html>
Modified: tomcat/site/trunk/docs/security-native.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1873527&r1=1873526&r2=1873527&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (original)
+++ tomcat/site/trunk/docs/security-native.html Mon Feb 3 09:51:13 2020
@@ -1,405 +1,399 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
<html lang="en">
-<head>
-<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link href="res/css/tomcat.css" rel="stylesheet" type="text/css">
-<link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css">
-<title>Apache Tomcat® - Apache Tomcat APR/native Connector vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project">
-</head>
-<body>
-<div id="wrapper">
-<header id="header">
-<div class="clearfix">
-<div class="menu-toggler pull-left" tabindex="1">
-<div class="hamburger"></div>
-</div>
-<a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a>
-<h1 class="pull-left">Apache Tomcat<sup>®</sup>
-</h1>
-<div class="asf-logos pull-right">
-<a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a>
-</div>
-</div>
-</header>
-<main id="middle">
-<div>
-<div id="mainLeft">
-<div id="nav-wrapper">
-<form action="https://www.google.com/search" method="get">
-<div class="searchbox">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input aria-label="Search text" placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button>
-</div>
-</form>
-<div class="asfevents">
-<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png" alt="Next ASF event"><br>
- Save the date!
+ <head>
+ <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+ <link href="res/css/tomcat.css" rel="stylesheet" type="text/css">
+ <link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css">
+ <title>Apache Tomcat® - Apache Tomcat APR/native Connector vulnerabilities</title>
+ <meta name="author" content="Apache Tomcat Project">
+ </head>
+ <body>
+ <div id="wrapper">
+ <header id="header">
+ <div class="clearfix">
+ <div class="menu-toggler pull-left" tabindex="1">
+ <div class="hamburger"></div>
+ </div>
+ <a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a>
+ <h1 class="pull-left">
+ Apache Tomcat<sup>®</sup>
+ </h1>
+ <div class="asf-logos pull-right">
+ <a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a>
+ </div>
+ </div>
+ </header>
+ <main id="middle">
+ <div>
+ <div id="mainLeft">
+ <div id="nav-wrapper">
+ <form action="https://www.google.com/search" method="get">
+ <div class="searchbox">
+ <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input aria-label="Search text" placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button>
+ </div>
+ </form>
+ <div class="asfevents">
+ <a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png" alt="Next ASF event">
+ <br>
+ Save the date!
</a>
-</div>
-<nav>
-<div>
-<h2>Apache Tomcat</h2>
-<ul>
-<li>
-<a href="./index.html">Home</a>
-</li>
-<li>
-<a href="./taglibs.html">Taglibs</a>
-</li>
-<li>
-<a href="./maven-plugin.html">Maven Plugin</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Download</h2>
-<ul>
-<li>
-<a href="./whichversion.html">Which version?</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a>
-</li>
-<li>
-<a href="https://archive.apache.org/dist/tomcat/">Archives</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Documentation</h2>
-<ul>
-<li>
-<a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a>
-</li>
-<li>
-<a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a>
-</li>
-<li>
-<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
-</li>
-<li>
-<a href="./connectors-doc/">Tomcat Connectors</a>
-</li>
-<li>
-<a href="./native-doc/">Tomcat Native</a>
-</li>
-<li>
-<a href="https://cwiki.apache.org/confluence/display/TOMCAT">Wiki</a>
-</li>
-<li>
-<a href="./migration.html">Migration Guide</a>
-</li>
-<li>
-<a href="./presentations.html">Presentations</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Problems?</h2>
-<ul>
-<li>
-<a href="./security.html">Security Reports</a>
-</li>
-<li>
-<a href="./findhelp.html">Find help</a>
-</li>
-<li>
-<a href="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ">FAQ</a>
-</li>
-<li>
-<a href="./lists.html">Mailing Lists</a>
-</li>
-<li>
-<a href="./bugreport.html">Bug Database</a>
-</li>
-<li>
-<a href="./irc.html">IRC</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Get Involved</h2>
-<ul>
-<li>
-<a href="./getinvolved.html">Overview</a>
-</li>
-<li>
-<a href="./source.html">Source code</a>
-</li>
-<li>
-<a href="./ci.html">Buildbot</a>
-</li>
-<li>
-<a href="https://cwiki.apache.org/confluence/x/vIPzBQ">Translations</a>
-</li>
-<li>
-<a href="./tools.html">Tools</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Media</h2>
-<ul>
-<li>
-<a href="https://twitter.com/theapachetomcat">Twitter</a>
-</li>
-<li>
-<a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a>
-</li>
-<li>
-<a href="https://blogs.apache.org/tomcat/">Blog</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Misc</h2>
-<ul>
-<li>
-<a href="./whoweare.html">Who We Are</a>
-</li>
-<li>
-<a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a>
-</li>
-<li>
-<a href="./heritage.html">Heritage</a>
-</li>
-<li>
-<a href="http://www.apache.org">Apache Home</a>
-</li>
-<li>
-<a href="./resources.html">Resources</a>
-</li>
-<li>
-<a href="./contact.html">Contact</a>
-</li>
-<li>
-<a href="./legal.html">Legal</a>
-</li>
-<li>
-<a href="https://www.apache.org/foundation/contributing.html">Support Apache</a>
-</li>
-<li>
-<a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
-</li>
-<li>
-<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
-</li>
-<li>
-<a href="http://www.apache.org/licenses/">License</a>
-</li>
-</ul>
-</div>
-</nav>
-</div>
-</div>
-<div id="mainRight">
-<div id="content">
-<h2 style="display: none;">Content</h2>
-<h3 id="Table_of_Contents">Table of Contents</h3>
-<div class="text">
-
-<ul>
-<li>
-<a href="#Apache_Tomcat_APR/native_Connector_vulnerabilities">Apache Tomcat APR/native Connector vulnerabilities</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17">Fixed in Apache Tomcat Native Connector 1.2.17</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache Tomcat Native Connector 1.2.16</a>
-</li>
-<li>
-<a href="#Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">Not a vulnerability in the Apache Tomcat APR/native Connector</a>
-</li>
-</ul>
-
-</div>
-<h3 id="Apache_Tomcat_APR/native_Connector_vulnerabilities">Apache Tomcat APR/native Connector vulnerabilities</h3>
-<div class="text">
-
-<p>This page lists all security vulnerabilities fixed in released versions
+ </div>
+ <nav>
+ <div>
+ <h2>Apache Tomcat</h2>
+ <ul>
+ <li>
+ <a href="./index.html">Home</a>
+ </li>
+ <li>
+ <a href="./taglibs.html">Taglibs</a>
+ </li>
+ <li>
+ <a href="./maven-plugin.html">Maven Plugin</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Download</h2>
+ <ul>
+ <li>
+ <a href="./whichversion.html">Which version?</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a>
+ </li>
+ <li>
+ <a href="https://archive.apache.org/dist/tomcat/">Archives</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Documentation</h2>
+ <ul>
+ <li>
+ <a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a>
+ </li>
+ <li>
+ <a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a>
+ </li>
+ <li>
+ <a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
+ </li>
+ <li>
+ <a href="./connectors-doc/">Tomcat Connectors</a>
+ </li>
+ <li>
+ <a href="./native-doc/">Tomcat Native</a>
+ </li>
+ <li>
+ <a href="https://cwiki.apache.org/confluence/display/TOMCAT">Wiki</a>
+ </li>
+ <li>
+ <a href="./migration.html">Migration Guide</a>
+ </li>
+ <li>
+ <a href="./presentations.html">Presentations</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Problems?</h2>
+ <ul>
+ <li>
+ <a href="./security.html">Security Reports</a>
+ </li>
+ <li>
+ <a href="./findhelp.html">Find help</a>
+ </li>
+ <li>
+ <a href="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ">FAQ</a>
+ </li>
+ <li>
+ <a href="./lists.html">Mailing Lists</a>
+ </li>
+ <li>
+ <a href="./bugreport.html">Bug Database</a>
+ </li>
+ <li>
+ <a href="./irc.html">IRC</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Get Involved</h2>
+ <ul>
+ <li>
+ <a href="./getinvolved.html">Overview</a>
+ </li>
+ <li>
+ <a href="./source.html">Source code</a>
+ </li>
+ <li>
+ <a href="./ci.html">Buildbot</a>
+ </li>
+ <li>
+ <a href="https://cwiki.apache.org/confluence/x/vIPzBQ">Translations</a>
+ </li>
+ <li>
+ <a href="./tools.html">Tools</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Media</h2>
+ <ul>
+ <li>
+ <a href="https://twitter.com/theapachetomcat">Twitter</a>
+ </li>
+ <li>
+ <a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a>
+ </li>
+ <li>
+ <a href="https://blogs.apache.org/tomcat/">Blog</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Misc</h2>
+ <ul>
+ <li>
+ <a href="./whoweare.html">Who We Are</a>
+ </li>
+ <li>
+ <a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a>
+ </li>
+ <li>
+ <a href="./heritage.html">Heritage</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org">Apache Home</a>
+ </li>
+ <li>
+ <a href="./resources.html">Resources</a>
+ </li>
+ <li>
+ <a href="./contact.html">Contact</a>
+ </li>
+ <li>
+ <a href="./legal.html">Legal</a>
+ </li>
+ <li>
+ <a href="https://www.apache.org/foundation/contributing.html">Support Apache</a>
+ </li>
+ <li>
+ <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/">License</a>
+ </li>
+ </ul>
+ </div>
+ </nav>
+ </div>
+ </div>
+ <div id="mainRight">
+ <div id="content">
+ <h2 style="display: none;">Content</h2>
+ <h3 id="Table_of_Contents">Table of Contents</h3>
+ <div class="text">
+
+ <ul>
+ <li>
+ <a href="#Apache_Tomcat_APR/native_Connector_vulnerabilities">Apache Tomcat APR/native Connector vulnerabilities</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17">Fixed in Apache Tomcat Native Connector 1.2.17</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache Tomcat Native Connector 1.2.16</a>
+ </li>
+ <li>
+ <a href="#Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">Not a vulnerability in the Apache Tomcat APR/native Connector</a>
+ </li>
+ </ul>
+
+ </div>
+ <h3 id="Apache_Tomcat_APR/native_Connector_vulnerabilities">Apache Tomcat APR/native Connector vulnerabilities</h3>
+ <div class="text">
+
+ <p>
+ This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat APR/native Connector. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat APR/native
Connectors the flaw is known to affect, and where a flaw has not been
- verified list the version with a question mark.</p>
-
-
-<p>
-<strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
+ verified list the version with a question mark.
+ </p>
+
+ <p>
+ <strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
but have either been incorrectly reported against Tomcat or where Tomcat
- provides a workaround are listed at the end of this page.</p>
-
-
-<p>This page has been created from a review of the Apache Tomcat archives
+ provides a workaround are listed at the end of this page.
+ </p>
+
+ <p>
+ This page has been created from a review of the Apache Tomcat archives
and the CVE list. Please send comments or corrections for these
vulnerabilities to the <a href="security.html">Tomcat
- Security Team</a>.</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_Native_Connector_1.2.17">Fixed in Apache Tomcat Native Connector 1.2.17</h3>
-<div class="text">
-
-
-<p>
-<strong>Moderate: Mishandled OCSP invalid response</strong>
+ Security Team</a>.
+ </p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_Native_Connector_1.2.17">Fixed in Apache Tomcat Native Connector 1.2.17</h3>
+ <div class="text">
+
+ <p>
+ <strong>Moderate: Mishandled OCSP invalid response</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8019" rel="nofollow">CVE-2018-8019</a>
-</p>
-
-<p>When using an OCSP responder Tomcat Native did not correctly handle
+ </p>
+
+ <p>When using an OCSP responder Tomcat Native did not correctly handle
invalid responses. This allowed for revoked client certificates to
be incorrectly identified. It was therefore possible for users to
authenticate with revoked certificates when using mutual TLS.</p>
-
-
-<p>This was fixed in revision <a href="https://svn.apache.org/viewvc?view=rev&rev=1832832">1832832</a>.</p>
-
-
-<p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
-
-
-<p>
-<strong>Important: Mishandled OCSP responses can allow clients to
+
+ <p>
+ This was fixed in revision <a href="https://svn.apache.org/viewvc?view=rev&rev=1832832">1832832</a>.
+ </p>
+
+ <p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
+
+ <p>
+ <strong>Important: Mishandled OCSP responses can allow clients to
authenticate with revoked certificates</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8020" rel="nofollow">CVE-2018-8020</a>
-</p>
-
-
-<p>Apache Tomcat Native has a flaw that does not properly check OCSP
+ </p>
+
+ <p>Apache Tomcat Native has a flaw that does not properly check OCSP
pre-produced responses, which are lists (multiple entries) of
certificate statuses. Subsequently, revoked client certificates may not be
properly identified, allowing for users to authenticate with revoked
certicates to connections that require mutual TLS.</p>
-
-
-<p>This was fixed in revision <a href="https://svn.apache.org/viewvc?view=rev&rev=1832863">1832863</a>.</p>
-
-
-<p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache Tomcat Native Connector 1.2.16</h3>
-<div class="text">
-
-
-<p>
-<i>Note: The issue below was fixed in Apache Tomcat Native Connector
+
+ <p>
+ This was fixed in revision <a href="https://svn.apache.org/viewvc?view=rev&rev=1832863">1832863</a>.
+ </p>
+
+ <p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache Tomcat Native Connector 1.2.16</h3>
+ <div class="text">
+
+ <p>
+ <i>Note: The issue below was fixed in Apache Tomcat Native Connector
1.2.15 but the release vote for the 1.2.15 release candidate did not
pass. Therefore, although users must download 1.2.16 to obtain a version
that includes the fix for this issue, version 1.2.15 is not included in
the list of affected versions.</i>
-</p>
-
-
-<p>
-<strong>Moderate: OCSP check omitted</strong>
+ </p>
+
+ <p>
+ <strong>Moderate: OCSP check omitted</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15698" rel="nofollow">CVE-2017-15698</a>
-</p>
-
-
-<p>When parsing the AIA-Extension field of a client certificate, the Apache
+ </p>
+
+ <p>When parsing the AIA-Extension field of a client certificate, the Apache
Tomcat Native Connector did not correctly handle fields longer than 127
bytes. The result of the parsing error was to skip the OCSP check. It was
therefore possible for client certificates that should have been rejected
(if the OCSP check had been made) to be accepted. Users not using OCSP
checks are not affected by this vulnerability.
</p>
-
-
-<p>This was fixed in revisions <a href="https://svn.apache.org/viewvc?view=rev&rev=1815200">1815200</a> and
- <a href="https://svn.apache.org/viewvc?view=rev&rev=1815218">1815218</a>.</p>
-
-
-<p>This issue was reported to the Apache Tomcat Security Team by Jonas
+
+ <p>
+ This was fixed in revisions <a href="https://svn.apache.org/viewvc?view=rev&rev=1815200">1815200</a> and
+ <a href="https://svn.apache.org/viewvc?view=rev&rev=1815218">1815218</a>.
+ </p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by Jonas
Klempel on 6 November 2017 and made public on 31 January 2018.</p>
-
-
-<p>Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34</p>
-
-
-</div>
-<h3 id="Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">Not a vulnerability in the Apache Tomcat APR/native Connector</h3>
-<div class="text">
-
-<p>
-<strong>TLS SSL Man In The Middle</strong>
+
+ <p>Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34</p>
+
+ </div>
+ <h3 id="Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">Not a vulnerability in the Apache Tomcat APR/native Connector</h3>
+ <div class="text">
+
+ <p>
+ <strong>TLS SSL Man In The Middle</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
-</p>
-
-
-<p>A vulnerability exists in the TLS protocol that allows an attacker to
+ </p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.</p>
+
-
-<p>The TLS implementation used by Tomcat varies with connector. The
+ <p>The TLS implementation used by Tomcat varies with connector. The
APR/native connector uses OpenSSL.</p>
-
+
-<p>The APR/native connector is vulnerable if the OpenSSL version used is
+ <p>The APR/native connector is vulnerable if the OpenSSL version used is
vulnerable. Note: Building with OpenSSL 0.9.8l will disable all
renegotiation and protect against this vulnerability.</p>
-
-
-<p>From 1.1.18 onwards, client initiated renegotiations are rejected to
+
+ <p>From 1.1.18 onwards, client initiated renegotiations are rejected to
provide partial protection against this vulnerability with any OpenSSL
version.</p>
-
+
-<p>Users should be aware that the impact of disabling renegotiation will
+ <p>Users should be aware that the impact of disabling renegotiation will
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the
application.</p>
-
-
-<p>
-<strong>Important: Remote Memory Read</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p>
-
-
-<p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+
+ <p>
+ <strong>Important: Remote Memory Read</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")
+ </p>
+
+ <p>
+ A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
can allow an unauthenticated remote user to read certain contents of
the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
- ship with patched versions of OpenSSL.</p>
-
+ ship with patched versions of OpenSSL.
+ </p>
+
+ <p>This issue was first announced on 7 April 2014.</p>
+
+ <p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
+
+ </div>
+ </div>
+ </div>
+ </div>
+ </main>
+ <footer id="footer">
+ Copyright © 1999-2020, The Apache Software Foundation
-<p>This issue was first announced on 7 April 2014.</p>
-
-
-<p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
-
-</div>
-</div>
-</div>
-</div>
-</main>
-<footer id="footer">
- Copyright © 1999-2020, The Apache Software Foundation
- <br>
- Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
+ <br>
+ Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
project logo are either registered trademarks or trademarks of the Apache
Software Foundation.
- </footer>
-</div>
-<script src="res/js/tomcat.js"></script>
-</body>
+
+ </footer>
+ </div>
+ <script src="res/js/tomcat.js"></script>
+ </body>
</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org