You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2009/02/26 00:17:37 UTC
[SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2008-4308: Tomcat information disclosure vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.32 to 4.1.34
Tomcat 5.5.10 to 5.5.20
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Note: Although this vulnerability affects relatively old versions of
Apache Tomcat, it was only discovered and reported to the Apache Tomcat
Security team in October 2008. Publication of this issue was then
postponed until now at the request of the reporter.
Description:
Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
result in the disclosure of POSTed content from a previous request. For
a vulnerability to exist the content read from the input stream must be
disclosed, eg via writing it to the response and committing the
response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.
Mitigation:
Upgrade to:
4.1.35 or later
5.5.21 or later
6.0.0 or later
Example:
See original bug report for example of how to create the error condition.
Credit:
This issue was discovered by Fujitsu and reported to the Tomcat Security
Team via JPCERT.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM
U3IdbfYNVtRIzCW5XTvhv2E=
=rJGg
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Posted by Mark Thomas <ma...@apache.org>.
nambo.kazu@oss.ntt.co.jp wrote:
> BTW I've found a typo in the security reports.
> http://tomcat.apache.org/security-5.html
> http://tomcat.apache.org/security-4.html
> low: Information disclosure CVE-2008-4308
> Bug 40711 may result in the disclosure of POSTed .....
>
> 40711 -> 40771.
Thanks. I'll get that fixed.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure
vulnerability
Posted by na...@oss.ntt.co.jp.
From: markt@apache.org
Subject: Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Date: Thu, 05 Mar 2009 12:45:10 +0100
> nambo.kazu@oss.ntt.co.jp wrote:
> > Hi, Mark.
> >
> >> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
> > I checked Tomcat 5.0.x source code and I've found that
> > org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included.
> > Does this mean Tomcat 5.0.x is not affected by this vulnerability?
>
> I would assume so but haven't confirmed this as 5.0.x is unsupported.
OK, I understand.
BTW I've found a typo in the security reports.
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
low: Information disclosure CVE-2008-4308
Bug 40711 may result in the disclosure of POSTed .....
40711 -> 40771.
Best regards,
Kazu Nambo
>
> Mark
>
> >
> > Advice, please.
> > Kazu Nambo
> >
> >
> > From: markt@apache.org
> > Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
> > Date: Wed, 25 Feb 2009 23:17:37 +0000
> >
> > CVE-2008-4308: Tomcat information disclosure vulnerability
> >
> > Severity: Low
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > Tomcat 4.1.32 to 4.1.34
> > Tomcat 5.5.10 to 5.5.20
> > Tomcat 6.0.x is not affected
> > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
> >
> > Note: Although this vulnerability affects relatively old versions of
> > Apache Tomcat, it was only discovered and reported to the Apache Tomcat
> > Security team in October 2008. Publication of this issue was then
> > postponed until now at the request of the reporter.
> >
> > Description:
> > Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
> > result in the disclosure of POSTed content from a previous request. For
> > a vulnerability to exist the content read from the input stream must be
> > disclosed, eg via writing it to the response and committing the
> > response, before the ArrayIndexOutOfBoundsException occurs which will
> > halt processing of the request.
> >
> > Mitigation:
> > Upgrade to:
> > 4.1.35 or later
> > 5.5.21 or later
> > 6.0.0 or later
> >
> > Example:
> > See original bug report for example of how to create the error condition.
> >
> > Credit:
> > This issue was discovered by Fujitsu and reported to the Tomcat Security
> > Team via JPCERT.
> >
> > References:
> > http://tomcat.apache.org/security.html
> >
> > Mark Thomas
> >>
> >>
>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Posted by Mark Thomas <ma...@apache.org>.
nambo.kazu@oss.ntt.co.jp wrote:
> Hi, Mark.
>
>> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
> I checked Tomcat 5.0.x source code and I've found that
> org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included.
> Does this mean Tomcat 5.0.x is not affected by this vulnerability?
I would assume so but haven't confirmed this as 5.0.x is unsupported.
Mark
>
> Advice, please.
> Kazu Nambo
>
>
> From: markt@apache.org
> Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
> Date: Wed, 25 Feb 2009 23:17:37 +0000
>
> CVE-2008-4308: Tomcat information disclosure vulnerability
>
> Severity: Low
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Tomcat 4.1.32 to 4.1.34
> Tomcat 5.5.10 to 5.5.20
> Tomcat 6.0.x is not affected
> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
>
> Note: Although this vulnerability affects relatively old versions of
> Apache Tomcat, it was only discovered and reported to the Apache Tomcat
> Security team in October 2008. Publication of this issue was then
> postponed until now at the request of the reporter.
>
> Description:
> Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
> result in the disclosure of POSTed content from a previous request. For
> a vulnerability to exist the content read from the input stream must be
> disclosed, eg via writing it to the response and committing the
> response, before the ArrayIndexOutOfBoundsException occurs which will
> halt processing of the request.
>
> Mitigation:
> Upgrade to:
> 4.1.35 or later
> 5.5.21 or later
> 6.0.0 or later
>
> Example:
> See original bug report for example of how to create the error condition.
>
> Credit:
> This issue was discovered by Fujitsu and reported to the Tomcat Security
> Team via JPCERT.
>
> References:
> http://tomcat.apache.org/security.html
>
> Mark Thomas
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure
vulnerability
Posted by na...@oss.ntt.co.jp.
Hi, Mark.
> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
I checked Tomcat 5.0.x source code and I've found that
org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included.
Does this mean Tomcat 5.0.x is not affected by this vulnerability?
Advice, please.
Kazu Nambo
From: markt@apache.org
Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Date: Wed, 25 Feb 2009 23:17:37 +0000
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2008-4308: Tomcat information disclosure vulnerability
>
> Severity: Low
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Tomcat 4.1.32 to 4.1.34
> Tomcat 5.5.10 to 5.5.20
> Tomcat 6.0.x is not affected
> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
>
> Note: Although this vulnerability affects relatively old versions of
> Apache Tomcat, it was only discovered and reported to the Apache Tomcat
> Security team in October 2008. Publication of this issue was then
> postponed until now at the request of the reporter.
>
> Description:
> Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
> result in the disclosure of POSTed content from a previous request. For
> a vulnerability to exist the content read from the input stream must be
> disclosed, eg via writing it to the response and committing the
> response, before the ArrayIndexOutOfBoundsException occurs which will
> halt processing of the request.
>
> Mitigation:
> Upgrade to:
> 4.1.35 or later
> 5.5.21 or later
> 6.0.0 or later
>
> Example:
> See original bug report for example of how to create the error condition.
>
> Credit:
> This issue was discovered by Fujitsu and reported to the Tomcat Security
> Team via JPCERT.
>
> References:
> http://tomcat.apache.org/security.html
>
> Mark Thomas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM
> U3IdbfYNVtRIzCW5XTvhv2E=
> =rJGg
> -----END PGP SIGNATURE-----
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org