You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2009/12/09 17:29:55 UTC

svn commit: r888860 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml

Author: markt
Date: Wed Dec  9 16:29:54 2009
New Revision: 888860

URL: http://svn.apache.org/viewvc?rev=888860&view=rev
Log:
Add some info on CVE-2009-3555

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Dec  9 16:29:54 2009
@@ -1104,6 +1104,39 @@
 <td>
 <p>
 <blockquote>
+
+    <p>
+<strong>TLS SSL Man In The Middle</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+       CVE-2009-3555</a>
+</p>
+
+    <p>A vulnerability exists in the TLS protocol that allows an attacker to
+       inject arbitrary requests into an TLS stream during renegotiation.</p>
+    
+    <p>The TLS implementation used by Tomcat varies with connector. The blocking
+       IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+       provided by the JVM. The APR/native connector uses OpenSSL.</p>
+       
+    <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+       To workaround this until a fix is available in JSSE, a new connector
+       attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+       the BIO connector. It should be set to <code>false</code> (the default)
+       to protect against this vulnerability. The attribute will be available in
+       Tomcat 6.0.21 onwards.</p>
+       
+    <p>The NIO connector is not vulnerable as it does not support
+       renegotiation.</p>
+       
+    <p>The APR/native connector is vulnerable if the OpenSSL version used is
+       vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+       and protect against this vulernability.</p>
+       
+    <p>Users should be aware that the impact of disabling renegotiation will
+       vary with both application and client. In some circumstances disabling
+       renegotiation may result in some clients being unable to access the
+       application.</p>
+
     <p>
 <strong>JavaMail information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754">

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Dec  9 16:29:54 2009
@@ -842,7 +842,40 @@
 <td>
 <p>
 <blockquote>
-      <p>
+  
+    <p>
+<strong>TLS SSL Man In The Middle</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+       CVE-2009-3555</a>
+</p>
+
+    <p>A vulnerability exists in the TLS protocol that allows an attacker to
+       inject arbitrary requests into an TLS stream during renegotiation.</p>
+    
+    <p>The TLS implementation used by Tomcat varies with connector. The blocking
+       IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+       provided by the JVM. The APR/native connector uses OpenSSL.</p>
+       
+    <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+       To workaround this until a fix is available in JSSE, a new connector
+       attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+       the BIO connector. It should be set to <code>false</code> (the default)
+       to protect against this vulnerability. The attribute will be available in
+       Tomcat 6.0.21 onwards.</p>
+       
+    <p>The NIO connector is not vulnerable as it does not support
+       renegotiation.</p>
+       
+    <p>The APR/native connector is vulnerable if the OpenSSL version used is
+       vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+       and protect against this vulernability.</p>
+       
+    <p>Users should be aware that the impact of disabling renegotiation will
+       vary with both application and client. In some circumstances disabling
+       renegotiation may result in some clients being unable to access the
+       application.</p>
+
+    <p>
 <strong>important: Directory traversal</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
        CVE-2008-2938</a>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Dec  9 16:29:54 2009
@@ -504,6 +504,37 @@
   </section>
 
   <section name="Not a vulnerability in Tomcat">
+
+    <p><strong>TLS SSL Man In The Middle</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+       CVE-2009-3555</a></p>
+
+    <p>A vulnerability exists in the TLS protocol that allows an attacker to
+       inject arbitrary requests into an TLS stream during renegotiation.</p>
+    
+    <p>The TLS implementation used by Tomcat varies with connector. The blocking
+       IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+       provided by the JVM. The APR/native connector uses OpenSSL.</p>
+       
+    <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+       To workaround this until a fix is available in JSSE, a new connector
+       attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+       the BIO connector. It should be set to <code>false</code> (the default)
+       to protect against this vulnerability. The attribute will be available in
+       Tomcat 6.0.21 onwards.</p>
+       
+    <p>The NIO connector is not vulnerable as it does not support
+       renegotiation.</p>
+       
+    <p>The APR/native connector is vulnerable if the OpenSSL version used is
+       vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+       and protect against this vulernability.</p>
+       
+    <p>Users should be aware that the impact of disabling renegotiation will
+       vary with both application and client. In some circumstances disabling
+       renegotiation may result in some clients being unable to access the
+       application.</p>
+
     <p><strong>JavaMail information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754">
        CVE-2005-1754</a></p>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Dec  9 16:29:54 2009
@@ -401,7 +401,38 @@
   </section>
 
   <section name="Not a vulnerability in Tomcat">
-      <p><strong>important: Directory traversal</strong>
+  
+    <p><strong>TLS SSL Man In The Middle</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+       CVE-2009-3555</a></p>
+
+    <p>A vulnerability exists in the TLS protocol that allows an attacker to
+       inject arbitrary requests into an TLS stream during renegotiation.</p>
+    
+    <p>The TLS implementation used by Tomcat varies with connector. The blocking
+       IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+       provided by the JVM. The APR/native connector uses OpenSSL.</p>
+       
+    <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+       To workaround this until a fix is available in JSSE, a new connector
+       attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+       the BIO connector. It should be set to <code>false</code> (the default)
+       to protect against this vulnerability. The attribute will be available in
+       Tomcat 6.0.21 onwards.</p>
+       
+    <p>The NIO connector is not vulnerable as it does not support
+       renegotiation.</p>
+       
+    <p>The APR/native connector is vulnerable if the OpenSSL version used is
+       vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+       and protect against this vulernability.</p>
+       
+    <p>Users should be aware that the impact of disabling renegotiation will
+       vary with both application and client. In some circumstances disabling
+       renegotiation may result in some clients being unable to access the
+       application.</p>
+
+    <p><strong>important: Directory traversal</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
        CVE-2008-2938</a></p>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org