You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2009/12/09 17:29:55 UTC
svn commit: r888860 - in /tomcat/site/trunk: docs/security-5.html
docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml
Author: markt
Date: Wed Dec 9 16:29:54 2009
New Revision: 888860
URL: http://svn.apache.org/viewvc?rev=888860&view=rev
Log:
Add some info on CVE-2009-3555
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Dec 9 16:29:54 2009
@@ -1104,6 +1104,39 @@
<td>
<p>
<blockquote>
+
+ <p>
+<strong>TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+ CVE-2009-3555</a>
+</p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The blocking
+ IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+ provided by the JVM. The APR/native connector uses OpenSSL.</p>
+
+ <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+ To workaround this until a fix is available in JSSE, a new connector
+ attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+ the BIO connector. It should be set to <code>false</code> (the default)
+ to protect against this vulnerability. The attribute will be available in
+ Tomcat 6.0.21 onwards.</p>
+
+ <p>The NIO connector is not vulnerable as it does not support
+ renegotiation.</p>
+
+ <p>The APR/native connector is vulnerable if the OpenSSL version used is
+ vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+ and protect against this vulernability.</p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+
<p>
<strong>JavaMail information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754">
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Dec 9 16:29:54 2009
@@ -842,7 +842,40 @@
<td>
<p>
<blockquote>
- <p>
+
+ <p>
+<strong>TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+ CVE-2009-3555</a>
+</p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The blocking
+ IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+ provided by the JVM. The APR/native connector uses OpenSSL.</p>
+
+ <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+ To workaround this until a fix is available in JSSE, a new connector
+ attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+ the BIO connector. It should be set to <code>false</code> (the default)
+ to protect against this vulnerability. The attribute will be available in
+ Tomcat 6.0.21 onwards.</p>
+
+ <p>The NIO connector is not vulnerable as it does not support
+ renegotiation.</p>
+
+ <p>The APR/native connector is vulnerable if the OpenSSL version used is
+ vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+ and protect against this vulernability.</p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+
+ <p>
<strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
CVE-2008-2938</a>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Dec 9 16:29:54 2009
@@ -504,6 +504,37 @@
</section>
<section name="Not a vulnerability in Tomcat">
+
+ <p><strong>TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+ CVE-2009-3555</a></p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The blocking
+ IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+ provided by the JVM. The APR/native connector uses OpenSSL.</p>
+
+ <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+ To workaround this until a fix is available in JSSE, a new connector
+ attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+ the BIO connector. It should be set to <code>false</code> (the default)
+ to protect against this vulnerability. The attribute will be available in
+ Tomcat 6.0.21 onwards.</p>
+
+ <p>The NIO connector is not vulnerable as it does not support
+ renegotiation.</p>
+
+ <p>The APR/native connector is vulnerable if the OpenSSL version used is
+ vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+ and protect against this vulernability.</p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+
<p><strong>JavaMail information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754">
CVE-2005-1754</a></p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=888860&r1=888859&r2=888860&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Dec 9 16:29:54 2009
@@ -401,7 +401,38 @@
</section>
<section name="Not a vulnerability in Tomcat">
- <p><strong>important: Directory traversal</strong>
+
+ <p><strong>TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+ CVE-2009-3555</a></p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The blocking
+ IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+ provided by the JVM. The APR/native connector uses OpenSSL.</p>
+
+ <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+ To workaround this until a fix is available in JSSE, a new connector
+ attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
+ the BIO connector. It should be set to <code>false</code> (the default)
+ to protect against this vulnerability. The attribute will be available in
+ Tomcat 6.0.21 onwards.</p>
+
+ <p>The NIO connector is not vulnerable as it does not support
+ renegotiation.</p>
+
+ <p>The APR/native connector is vulnerable if the OpenSSL version used is
+ vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation
+ and protect against this vulernability.</p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+
+ <p><strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
CVE-2008-2938</a></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org