You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/09/10 21:21:23 UTC
svn commit: r1521594 [13/16] - in /tomcat/site/trunk: docs/ docs/images/
docs/stylesheets/ xdocs/images/ xdocs/stylesheets/
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1521594&r1=1521593&r2=1521594&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Tue Sep 10 19:21:22 2013
@@ -1,282 +1,8 @@
-<html>
-<head>
-<META http-equiv="Content-Type" content="text/html; charset=utf-8">
-<title>Apache Tomcat - Apache Tomcat 7 vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project">
-<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
-<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
-</head>
-<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
-<table border="0" width="100%" cellspacing="0">
-<!--PAGE HEADER-->
-<tr>
-<td>
-<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
-<h1>Apache Tomcat</h1>
-</font></td><td>
-<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
-</tr>
-</table>
-<div class="searchbox noPrint">
-<form action="http://www.google.com/search" method="get">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
-</form>
-</div>
-<table border="0" width="100%" cellspacing="4">
-<!--HEADER SEPARATOR-->
-<tr>
-<td colspan="2">
-<hr noshade size="1">
-</td>
-</tr>
-<tr>
-<!--LEFT SIDE NAVIGATION-->
-<td width="20%" valign="top" nowrap="true" class="noPrint">
-<p>
-<strong>Apache Tomcat</strong>
-</p>
-<ul>
-<li>
-<a href="./index.html">Home</a>
-</li>
-<li>
-<a href="./taglibs/">Taglibs</a>
-</li>
-<li>
-<a href="./maven-plugin.html">Maven Plugin</a>
-</li>
-</ul>
-<p>
-<strong>Download</strong>
-</p>
-<ul>
-<li>
-<a href="./whichversion.html">Which version?</a>
-</li>
-<li>
-<a href="./download-80.cgi">Tomcat 8.0</a>
-</li>
-<li>
-<a href="./download-70.cgi">Tomcat 7.0</a>
-</li>
-<li>
-<a href="./download-60.cgi">Tomcat 6.0</a>
-</li>
-<li>
-<a href="./download-connectors.cgi">Tomcat Connectors</a>
-</li>
-<li>
-<a href="./download-native.cgi">Tomcat Native</a>
-</li>
-<li>
-<a href="http://archive.apache.org/dist/tomcat/">Archives</a>
-</li>
-</ul>
-<p>
-<strong>Documentation</strong>
-</p>
-<ul>
-<li>
-<a href="./tomcat-8.0-doc/index.html">Tomcat 8.0</a>
-</li>
-<li>
-<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
-</li>
-<li>
-<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a>
-</li>
-<li>
-<a href="./connectors-doc/">Tomcat Connectors</a>
-</li>
-<li>
-<a href="./native-doc/">Tomcat Native</a>
-</li>
-<li>
-<a href="http://wiki.apache.org/tomcat/FrontPage">Wiki</a>
-</li>
-<li>
-<a href="./migration.html">Migration Guide</a>
-</li>
-</ul>
-<p>
-<strong>Problems?</strong>
-</p>
-<ul>
-<li>
-<a href="./security.html">Security Reports</a>
-</li>
-<li>
-<a href="./findhelp.html">Find help</a>
-</li>
-<li>
-<a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a>
-</li>
-<li>
-<a href="./lists.html">Mailing Lists</a>
-</li>
-<li>
-<a href="./bugreport.html">Bug Database</a>
-</li>
-<li>
-<a href="./irc.html">IRC</a>
-</li>
-</ul>
-<p>
-<strong>Get Involved</strong>
-</p>
-<ul>
-<li>
-<a href="./getinvolved.html">Overview</a>
-</li>
-<li>
-<a href="./svn.html">SVN Repositories</a>
-</li>
-<li>
-<a href="./ci.html">Buildbot</a>
-</li>
-<li>
-<a href="https://reviews.apache.org/groups/tomcat/">Reviewboard</a>
-</li>
-<li>
-<a href="./tools.html">Tools</a>
-</li>
-</ul>
-<p>
-<strong>Media</strong>
-</p>
-<ul>
-<li>
-<a href="http://blogs.apache.org/tomcat/">Blog</a>
-</li>
-<li>
-<a href="http://twitter.com/theapachetomcat">Twitter</a>
-</li>
-</ul>
-<p>
-<strong>Misc</strong>
-</p>
-<ul>
-<li>
-<a href="./whoweare.html">Who We Are</a>
-</li>
-<li>
-<a href="./heritage.html">Heritage</a>
-</li>
-<li>
-<a href="http://www.apache.org">Apache Home</a>
-</li>
-<li>
-<a href="./resources.html">Resources</a>
-</li>
-<li>
-<a href="./contact.html">Contact</a>
-</li>
-<li>
-<a href="./legal.html">Legal</a>
-</li>
-<li>
-<a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
-</li>
-<li>
-<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
-</li>
-</ul>
-</td>
-<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Table of Contents">
-<!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td>
-</tr>
-<tr>
-<td>
-<p>
-<blockquote>
-
-<ul>
-<li>
-<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.40">Fixed in Apache Tomcat 7.0.40</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.33">Fixed in Apache Tomcat 7.0.33</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.32">Fixed in Apache Tomcat 7.0.32</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.30">Fixed in Apache Tomcat 7.0.30</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.28">Fixed in Apache Tomcat 7.0.28</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.23">Fixed in Apache Tomcat 7.0.23</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.22">Fixed in Apache Tomcat 7.0.22</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.21">Fixed in Apache Tomcat 7.0.21</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.20">Fixed in Apache Tomcat 7.0.20</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.19">Fixed in Apache Tomcat 7.0.19</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.14">Fixed in Apache Tomcat 7.0.14</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.12">Fixed in Apache Tomcat 7.0.12</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.11">Fixed in Apache Tomcat 7.0.11</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.8">Fixed in Apache Tomcat 7.0.8</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.6">Fixed in Apache Tomcat 7.0.6</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.5">Fixed in Apache Tomcat 7.0.5</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.4">Fixed in Apache Tomcat 7.0.4</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_7.0.2">Fixed in Apache Tomcat 7.0.2</a>
-</li>
-<li>
-<a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a>
-</li>
-</ul>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Apache Tomcat 7.x vulnerabilities">
-<!--()--></a><a name="Apache_Tomcat_7.x_vulnerabilities"><strong>Apache Tomcat 7.x vulnerabilities</strong></a></font></td>
-</tr>
-<tr>
-<td>
-<p>
-<blockquote>
-
-<p>This page lists all security vulnerabilities fixed in released versions
+<!DOCTYPE html SYSTEM "about:legacy-compat">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="stylesheets/tomcat.css" rel="stylesheet" type="text/css"><link href="stylesheets/tomcat-printer.css" rel="stylesheet" type="text/css" media="print"><title>Apache Tomcat - Apache Tomcat 7 vulnerabilities</title><meta name="author" content="Apache Tomcat Project"></head><body><div id="wrapper"><header id="header"><div><div><div class="logo noPrint"><a href=""><img alt="Tomcat Home" src="./images/tomcat.png"></a></div><div style="height: 1px;"></div><div class="asfLogo"><a href="http://www.apache.org/" target="_blank"><img src="http://www.apache.org/images/feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a></div><h1 style="margin-top: 35px;">Apache Tomcat</h1><div style="clear: right;"></div><div class="searchbox noPrint"><form action="http://www.google.com/search" method="get"><input value="tomcat.apache.org" name="sitesearch" type="hidden"><input
placeholder="Search the Site…" required="required" size="25" name="q" id="query" type="search"><button>Search</button></form></div><div style="height: 1px;"></div><div style="clear: left;"></div></div></div></header><div id="middle"><div><div id="mainLeft" class="noprint"><div><nav><div><h2><strong>Apache Tomcat</strong></h2><ul><li><a href="./index.html">Home</a></li><li><a href="./taglibs/">Taglibs</a></li><li><a href="./maven-plugin.html">Maven Plugin</a></li></ul></div><div><h2><strong>Download</strong></h2><ul><li><a href="./whichversion.html">Which version?</a></li><li><a href="./download-80.cgi">Tomcat 8.0</a></li><li><a href="./download-70.cgi">Tomcat 7.0</a></li><li><a href="./download-60.cgi">Tomcat 6.0</a></li><li><a href="./download-connectors.cgi">Tomcat Connectors</a></li><li><a href="./download-native.cgi">Tomcat Native</a></li><li><a href="http://archive.apache.org/dist/tomcat/">Archives</a></li></ul></div><div><h2><strong>Documentation</strong></h2><ul><li><
a href="./tomcat-8.0-doc/index.html">Tomcat 8.0</a></li><li><a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a></li><li><a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a></li><li><a href="./connectors-doc/">Tomcat Connectors</a></li><li><a href="./native-doc/">Tomcat Native</a></li><li><a href="http://wiki.apache.org/tomcat/FrontPage">Wiki</a></li><li><a href="./migration.html">Migration Guide</a></li></ul></div><div><h2><strong>Problems?</strong></h2><ul><li><a href="./security.html">Security Reports</a></li><li><a href="./findhelp.html">Find help</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="./lists.html">Mailing Lists</a></li><li><a href="./bugreport.html">Bug Database</a></li><li><a href="./irc.html">IRC</a></li></ul></div><div><h2><strong>Get Involved</strong></h2><ul><li><a href="./getinvolved.html">Overview</a></li><li><a href="./svn.html">SVN Repositories</a></li><li><a href="./ci.html">Buildbot</a></li><li><a href="https://reviews.apach
e.org/groups/tomcat/">Reviewboard</a></li><li><a href="./tools.html">Tools</a></li></ul></div><div><h2><strong>Media</strong></h2><ul><li><a href="http://blogs.apache.org/tomcat/">Blog</a></li><li><a href="http://twitter.com/theapachetomcat">Twitter</a></li></ul></div><div><h2><strong>Misc</strong></h2><ul><li><a href="./whoweare.html">Who We Are</a></li><li><a href="./heritage.html">Heritage</a></li><li><a href="http://www.apache.org">Apache Home</a></li><li><a href="./resources.html">Resources</a></li><li><a href="./contact.html">Contact</a></li><li><a href="./legal.html">Legal</a></li><li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li><li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li></ul></div></nav></div></div><div id="mainRight"><div id="content"><main><h2 style="display: none;">Content</h2><h3 id="Table_of_Contents">Table of Contents</h3><div class="text">
+<ul><li><a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.40">Fixed in Apache Tomcat 7.0.40</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.33">Fixed in Apache Tomcat 7.0.33</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.32">Fixed in Apache Tomcat 7.0.32</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.30">Fixed in Apache Tomcat 7.0.30</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.28">Fixed in Apache Tomcat 7.0.28</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.23">Fixed in Apache Tomcat 7.0.23</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.22">Fixed in Apache Tomcat 7.0.22</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.21">Fixed in Apache Tomcat 7.0.21</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.20">Fixed in Apache Tomcat 7.0.20</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.19">Fixed in Apache Tomcat 7.0.19</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.14">Fixed in Apache Tomcat 7.0.
14</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.12">Fixed in Apache Tomcat 7.0.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.11">Fixed in Apache Tomcat 7.0.11</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.8">Fixed in Apache Tomcat 7.0.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.6">Fixed in Apache Tomcat 7.0.6</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.5">Fixed in Apache Tomcat 7.0.5</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.4">Fixed in Apache Tomcat 7.0.4</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.2">Fixed in Apache Tomcat 7.0.2</a></li><li><a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a></li></ul>
+</div><h3 id="Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</h3><div class="text">
+ <p>This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 7.x. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team — please note that this rating may vary from
@@ -284,14 +10,11 @@
is known to affect, and where a flaw has not been verified list the
version with a question mark.</p>
-
-<p>
-<strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
+ <p><strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
but have either been incorrectly reported against Tomcat or where Tomcat
provides a workaround are listed at the end of this page.</p>
-
-<p>Please note that binary patches are never provided. If you need to
+ <p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 7.0 those are
<a href="/tomcat-7.0-doc/building.html"><code>building.html</code></a> and
@@ -301,243 +24,119 @@
<a href="/tomcat-7.0-doc/security-howto.html">Security Considerations</a>
page in the documentation.</p>
-
-<p>If you need help on building or configuring Tomcat or other help on
+ <p>If you need help on building or configuring Tomcat or other help on
following the instructions to mitigate the known vulnerabilities listed
here, please send your questions to the public
<a href="lists.html">Tomcat Users mailing list</a>
-
-</p>
+ </p>
-
-<p>If you have encountered an unlisted security vulnerability or other
+ <p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has <a href="security-impact.html">security
impact</a>, or if the descriptions here are incomplete,
please report them privately to the
<a href="security.html">Tomcat Security Team</a>. Thank you.
</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.40">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.40"><strong>Fixed in Apache Tomcat 7.0.40</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 9 May 2013</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.40"><span style="float: right;">released 9 May 2013</span> Fixed in Apache Tomcat 7.0.40</h3><div class="text">
-
-<p>
-<strong>Moderate: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071" rel="nofollow">CVE-2013-2071</a>
-</p>
+ <p><strong>Moderate: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071" rel="nofollow">CVE-2013-2071</a></p>
-
-<p>Bug <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54178">54178</a> described a scenario where elements of a previous
+ <p>Bug <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54178">54178</a> described a scenario where elements of a previous
request may be exposed to a current request. This was very difficult to
exploit deliberately but fairly likely to happen unexpectedly if an
application used AsyncListeners that threw RuntimeExceptions.</p>
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1471372">1471372</a>.</p>
+ <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1471372">1471372</a>.</p>
-
-<p>The root cause of the problem was identified as a Tomcat bug on 2 April
+ <p>The root cause of the problem was identified as a Tomcat bug on 2 April
2013. The Tomcat security team identified the security implications on
24 April 2013 and made those details public on 10 May 2013.</p>
-
-<p>Affects: 7.0.0-7.0.39</p>
+ <p>Affects: 7.0.0-7.0.39</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.33">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.33"><strong>Fixed in Apache Tomcat 7.0.33</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 21 Nov 2012</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.33"><span style="float: right;">released 21 Nov 2012</span> Fixed in Apache Tomcat 7.0.33</h3><div class="text">
-
-<p>
-<strong>Important: Session fixation</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067" rel="nofollow">CVE-2013-2067</a>
-</p>
+ <p><strong>Important: Session fixation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067" rel="nofollow">CVE-2013-2067</a></p>
-
-<p>FORM authentication associates the most recent request requiring
+ <p>FORM authentication associates the most recent request requiring
authentication with the current session. By repeatedly sending a request
for an authenticated resource while the victim is completing the login
form, an attacker could inject a request that would be executed using
the victim's credentials.</p>
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1408044">1408044</a>.</p>
+ <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1408044">1408044</a>.</p>
-
-<p>This issue was identified by the Tomcat security team on 15 Oct 2012 and
+ <p>This issue was identified by the Tomcat security team on 15 Oct 2012 and
made public on 10 May 2013.</p>
-
-<p>Affects: 7.0.0-7.0.32</p>
+ <p>Affects: 7.0.0-7.0.32</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.32">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.32"><strong>Fixed in Apache Tomcat 7.0.32</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 9 Oct 2012</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.32"><span style="float: right;">released 9 Oct 2012</span> Fixed in Apache Tomcat 7.0.32</h3><div class="text">
-
-<p>
-<strong>Important: Bypass of CSRF prevention filter</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4431" rel="nofollow">CVE-2012-4431</a>
-</p>
+ <p><strong>Important: Bypass of CSRF prevention filter</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4431" rel="nofollow">CVE-2012-4431</a></p>
-
-<p>The CSRF prevention filter could be bypassed if a request was made to a
+ <p>The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request.
</p>
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1393088">1393088</a>.</p>
+ <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1393088">1393088</a>.</p>
-
-<p>This issue was identified by the Tomcat security team on 8 September 2012
+ <p>This issue was identified by the Tomcat security team on 8 September 2012
and made public on 4 December 2012.</p>
-
-<p>Affects: 7.0.0-7.0.31</p>
+ <p>Affects: 7.0.0-7.0.31</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.30">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.30"><strong>Fixed in Apache Tomcat 7.0.30</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 6 Sep 2012</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.30"><span style="float: right;">released 6 Sep 2012</span> Fixed in Apache Tomcat 7.0.30</h3><div class="text">
-
-<p>
-<strong>Important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544" rel="nofollow">CVE-2012-3544</a>
-</p>
+ <p><strong>Important: Denial of service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544" rel="nofollow">CVE-2012-3544</a></p>
-
-<p>When processing a request submitted using the chunked transfer encoding,
+ <p>When processing a request submitted using the chunked transfer encoding,
Tomcat ignored but did not limit any extensions that were included. This
allows a client to perform a limited DOS by streaming an unlimited
amount of data to the server.</p>
-
-<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1378702">1378702</a> and
+ <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1378702">1378702</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1378921">1378921</a>.</p>
-
-<p>This issue was reported to the Tomcat security team on 10 November 2011
+ <p>This issue was reported to the Tomcat security team on 10 November 2011
and made public on 10 May 2013.</p>
-
-<p>Affects: 7.0.0-7.0.29</p>
+ <p>Affects: 7.0.0-7.0.29</p>
-
-<p>
-<strong>Moderate: DIGEST authentication weakness</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439" rel="nofollow">CVE-2012-3439</a>
-</p>
+ <p><strong>Moderate: DIGEST authentication weakness</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439" rel="nofollow">CVE-2012-3439</a></p>
-
-<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
</p>
-
-<ol>
-
-<li>Tomcat tracked client rather than server nonces and nonce count.</li>
-
-<li>When a session ID was present, authentication was bypassed.</li>
-
-<li>The user name and password were not checked before when indicating
+ <ol>
+ <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+ <li>When a session ID was present, authentication was bypassed.</li>
+ <li>The user name and password were not checked before when indicating
that a nonce was stale.</li>
-
-</ol>
-
-<p>
+ </ol>
+ <p>
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.
</p>
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1377807">1377807</a>.</p>
+ <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1377807">1377807</a>.</p>
-
-<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+ <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
on 19 July 2012. The second and third issues were discovered by the
Tomcat security team during the resulting code review. All three issues
were made public on 5 November 2012.</p>
-
-<p>Affects: 7.0.0-7.0.29</p>
+ <p>Affects: 7.0.0-7.0.29</p>
-
-<p>
-<strong>Important: Bypass of security constraints</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3546" rel="nofollow">CVE-2012-3546</a>
-</p>
+ <p><strong>Important: Bypass of security constraints</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3546" rel="nofollow">CVE-2012-3546</a></p>
-
-<p>When using FORM authentication it was possible to bypass the security
+ <p>When using FORM authentication it was possible to bypass the security
constraint checks in the FORM authenticator by appending
<code>/j_security_check</code> to the end of the URL if some other
component (such as the Single-Sign-On valve) had called
@@ -545,114 +144,55 @@
<code>FormAuthenticator#authenticate()</code>.
</p>
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1377892">1377892</a>.</p>
+ <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1377892">1377892</a>.</p>
-
-<p>This issue was identified by the Tomcat security team on 13 July 2012 and
+ <p>This issue was identified by the Tomcat security team on 13 July 2012 and
made public on 4 December 2012.</p>
-
-<p>Affects: 7.0.0-7.0.29</p>
+ <p>Affects: 7.0.0-7.0.29</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.28">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.28"><strong>Fixed in Apache Tomcat 7.0.28</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 19 Jun 2012</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.28"><span style="float: right;">released 19 Jun 2012</span> Fixed in Apache Tomcat 7.0.28</h3><div class="text">
-
-<p>
-<strong>Important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733" rel="nofollow">CVE-2012-2733</a>
-</p>
+ <p><strong>Important: Denial of service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733" rel="nofollow">CVE-2012-2733</a></p>
-
-<p>The checks that limited the permitted size of request headers were
+ <p>The checks that limited the permitted size of request headers were
implemented too late in the request parsing process for the HTTP NIO
connector. This enabled a malicious user to trigger an
OutOfMemoryError by sending a single request with very large headers.
</p>
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1350301">1350301</a>.</p>
+ <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1350301">1350301</a>.</p>
-
-<p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+ <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
2012 and made public on 5 November 2012.</p>
-
-<p>Affects: 7.0.0-7.0.27</p>
+ <p>Affects: 7.0.0-7.0.27</p>
-
-<p>
-<strong>Important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4534" rel="nofollow">CVE-2012-4534</a>
-</p>
+ <p><strong>Important: Denial of service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4534" rel="nofollow">CVE-2012-4534</a></p>
-
-<p>When using the NIO connector with sendfile and HTTPS enabled, if a client
+ <p>When using the NIO connector with sendfile and HTTPS enabled, if a client
breaks the connection while reading the response an infinite loop is
entered leading to a denial of service. This was originally reported as
<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=52858">bug
52858</a>.
</p>
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1340218">1340218</a>.</p>
+ <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1340218">1340218</a>.</p>
-
-<p>The security implications of this bug were reported to the Tomcat
+ <p>The security implications of this bug were reported to the Tomcat
security team by Arun Neelicattu of the Red Hat Security Response Team on
3 October 2012 and made public on 4 December 2012.</p>
-
-<p>Affects: 7.0.0-7.0.27</p>
+ <p>Affects: 7.0.0-7.0.27</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.23">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.23"><strong>Fixed in Apache Tomcat 7.0.23</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 25 Nov 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.23"><span style="float: right;">released 25 Nov 2011</span> Fixed in Apache Tomcat 7.0.23</h3><div class="text">
-
-<p>
-<strong>Important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0022" rel="nofollow">CVE-2012-0022</a>
-</p>
+ <p><strong>Important: Denial of service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0022" rel="nofollow">CVE-2012-0022</a></p>
-
-<p>Analysis of the recent hash collision vulnerability identified unrelated
+ <p>Analysis of the recent hash collision vulnerability identified unrelated
inefficiencies with Apache Tomcat's handling of large numbers of
parameters and parameter values. These inefficiencies could allow an
attacker, via a specially crafted request, to cause large amounts of CPU
@@ -660,8 +200,7 @@
addressed by modifying the Tomcat parameter handling code to efficiently
process large numbers of parameters and parameter values.</p>
-
-<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1189899">1189899</a>,
+ <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1189899">1189899</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1190372">1190372</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1190482">1190482</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1194917">1194917</a>,
@@ -674,42 +213,17 @@
<a href="http://svn.apache.org/viewvc?view=rev&rev=1195977">1195977</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1198641">1198641</a>.</p>
-
-<p>This was identified by the Tomcat security team on 21 October 2011 and
+ <p>This was identified by the Tomcat security team on 21 October 2011 and
made public on 17 January 2012.</p>
-
-<p>Affects: 7.0.0-7.0.22</p>
+ <p>Affects: 7.0.0-7.0.22</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.22">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.22"><strong>Fixed in Apache Tomcat 7.0.22</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 Oct 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.22"><span style="float: right;">released 1 Oct 2011</span> Fixed in Apache Tomcat 7.0.22</h3><div class="text">
-
-<p>
-<strong>Important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3375" rel="nofollow">CVE-2011-3375</a>
-</p>
+ <p><strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3375" rel="nofollow">CVE-2011-3375</a></p>
-
-<p>For performance reasons, information parsed from a request is often
+ <p>For performance reasons, information parsed from a request is often
cached in two places: the internal request object and the internal
processor object. These objects are not recycled at exactly the same
time. When certain errors occur that needed to be added to the access
@@ -721,24 +235,17 @@
and response objects were recycled after being re-populated to generate
the necessary access log entries.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1176592">revision 1176592</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1176592">revision 1176592</a>.</p>
-
-<p>This was identified by the Tomcat security team on 22 September 2011 and
+ <p>This was identified by the Tomcat security team on 22 September 2011 and
made public on 17 January 2012.</p>
-
-<p>Affects: 7.0.0-7.0.21</p>
+ <p>Affects: 7.0.0-7.0.21</p>
-
-<p>
-<strong>Low: Privilege Escalation</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3376" rel="nofollow">CVE-2011-3376</a>
-</p>
+ <p><strong>Low: Privilege Escalation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3376" rel="nofollow">CVE-2011-3376</a></p>
-
-<p>This issue only affects environments running web applications that are
+ <p>This issue only affects environments running web applications that are
not trusted (e.g. shared hosting environments). The Servlets that
implement the functionality of the Manager application that ships with
Apache Tomcat should only be available to Contexts (web applications)
@@ -748,46 +255,20 @@
web applications as well as deploying additional web applications.
</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1176588">revision 1176588</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1176588">revision 1176588</a>.</p>
-
-<p>This was identified by Ate Douma on 27 September 2011 and made public
+ <p>This was identified by Ate Douma on 27 September 2011 and made public
on 8 November 2011.</p>
-
-<p>Affects: 7.0.0-7.0.21</p>
-
+ <p>Affects: 7.0.0-7.0.21</p>
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.21">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.21"><strong>Fixed in Apache Tomcat 7.0.21</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 Sep 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.21"><span style="float: right;">released 1 Sep 2011</span> Fixed in Apache Tomcat 7.0.21</h3><div class="text">
-
-<p>
-<strong>Important: Authentication bypass and information disclosure
+ <p><strong>Important: Authentication bypass and information disclosure
</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190" rel="nofollow">CVE-2011-3190</a>
-</p>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190" rel="nofollow">CVE-2011-3190</a></p>
-
-<p>Apache Tomcat supports the AJP protocol which is used with reverse
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
@@ -798,143 +279,66 @@
information disclosure. This vulnerability only occurs when all of the
following are true:
<ul>
-
-<li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
</li>
-
-<li>POST requests are accepted</li>
-
-<li>The request body is not processed</li>
-
-</ul>
-
-</p>
+ <li>POST requests are accepted</li>
+ <li>The request body is not processed</li>
+ </ul>
+ </p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">revision 1162958</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">revision 1162958</a>.</p>
-
-<p>This was reported publicly on 20th August 2011.</p>
+ <p>This was reported publicly on 20th August 2011.</p>
-
-<p>Affects: 7.0.0-7.0.20</p>
+ <p>Affects: 7.0.0-7.0.20</p>
-
-<p>Mitigation options:</p>
-
-<ul>
-
-<li>Upgrade to Tomcat 7.0.21</li>
-
-<li>Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">patch</a>
-</li>
-
-<li>Configure both Tomcat and the reverse proxy to use a shared secret.<br>
+ <p>Mitigation options:</p>
+ <ul>
+ <li>Upgrade to Tomcat 7.0.21</li>
+ <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">patch</a></li>
+ <li>Configure both Tomcat and the reverse proxy to use a shared secret.<br>
(It is "<code>requiredSecret</code>" attribute in AJP <Connector>,
"<code>worker.<i>workername</i>.secret</code>" directive for mod_jk.
The mod_proxy_ajp module currently does not support shared secrets).</li>
-
-</ul>
+ </ul>
-
-<p>References:</p>
-
-<ul>
-
-<li>
-<a href="/tomcat-7.0-doc/config/ajp.html">AJP Connector documentation (Tomcat 7.0)</a>
-</li>
-
-<li>
-<a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a>
-</li>
-
-</ul>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.20">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.20"><strong>Fixed in Apache Tomcat 7.0.20</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 11 Aug 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ <p>References:</p>
+ <ul>
+ <li><a href="/tomcat-7.0-doc/config/ajp.html">AJP Connector documentation (Tomcat 7.0)</a></li>
+ <li><a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a></li>
+ </ul>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.20"><span style="float: right;">released 11 Aug 2011</span> Fixed in Apache Tomcat 7.0.20</h3><div class="text">
-
-<p>
-<strong>Important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729" rel="nofollow">CVE-2011-2729</a>
-</p>
+ <p><strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729" rel="nofollow">CVE-2011-2729</a></p>
-
-<p>Due to a bug in the capabilities code, jsvc (the service wrapper for
+ <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
capabilities allowing the application to access files and directories
owned by superuser. This vulnerability only occurs when all of the
following are true:
<ul>
-
-<li>Tomcat is running on a Linux operating system</li>
-
-<li>jsvc was compiled with libcap</li>
-
-<li>-user parameter is used</li>
-
-</ul>
+ <li>Tomcat is running on a Linux operating system</li>
+ <li>jsvc was compiled with libcap</li>
+ <li>-user parameter is used</li>
+ </ul>
Affected Tomcat versions shipped with source files for jsvc that included
this vulnerability.
</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1153379">revision 1153379</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1153379">revision 1153379</a>.</p>
-
-<p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
+ <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.</p>
-
-<p>Affects: 7.0.0-7.0.19</p>
-
+ <p>Affects: 7.0.0-7.0.19</p>
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.19">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.19"><strong>Fixed in Apache Tomcat 7.0.19</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 19 Jul 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.19"><span style="float: right;">released 19 Jul 2011</span> Fixed in Apache Tomcat 7.0.19</h3><div class="text">
-
-<p>
-<strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a>
-</p>
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a></p>
-
-<p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+ <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
connectors. sendfile is used automatically for content served via the
DefaultServlet and deployed web applications may use it directly via
setting request attributes. These request attributes were not validated.
@@ -942,62 +346,43 @@
malicious web application to do one or more of the following that would
normally be prevented by a security manager:
<ul>
-
-<li>return files to users that the security manager should make
+ <li>return files to users that the security manager should make
inaccessible</li>
-
-<li>terminate (via a crash) the JVM</li>
-
-</ul>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
Additionally, these vulnerabilities only occur when all of the following
are true:
<ul>
-
-<li>untrusted web applications are being used</li>
-
-<li>the SecurityManager is used to limit the untrusted web applications
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web applications
</li>
-
-<li>the HTTP NIO or HTTP APR connector is used</li>
-
-<li>sendfile is enabled for the connector (this is the default)</li>
-
-</ul>
-
-</p>
+ <li>the HTTP NIO or HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
-
-<p>This was fixed in revisions
+ <p>This was fixed in revisions
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145383">1145383</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145489">1145489</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145571">1145571</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145694">1145694</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1146005">1146005</a>.</p>
-
-<p>This was identified by the Tomcat security team on 7 July 2011 and
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.</p>
-
-<p>Affects: 7.0.0-7.0.18</p>
+ <p>Affects: 7.0.0-7.0.18</p>
-
-<p>
-<i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
+ <p><i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
Therefore, although users must download 7.0.19 to obtain a version that
includes a fix for these issues, versions 7.0.17 and 7.0.18 are not
- included in the list of affected versions.</i>
-</p>
+ included in the list of affected versions.</i></p>
-
-<p>
-<strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
-</p>
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a></p>
-
-<p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
creating users via JMX, an exception during the user creation process may
trigger an error message in the JMX client that includes the user's
password. This error message is also written to the Tomcat logs. User
@@ -1006,24 +391,17 @@
do not have these permissions but are able to read log files may be able
to discover a user's password.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140070">revision 1140070</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140070">revision 1140070</a>.</p>
-
-<p>This was identified by Polina Genova on 14 June 2011 and
+ <p>This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.</p>
-
-<p>Affects: 7.0.0-7.0.16</p>
+ <p>Affects: 7.0.0-7.0.16</p>
-
-<p>
-<strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481" rel="nofollow">CVE-2011-2481</a>
-</p>
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481" rel="nofollow">CVE-2011-2481</a></p>
-
-<p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
+ <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
vulnerability previously reported as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>.
This was initially
<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395">
@@ -1032,90 +410,38 @@
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.</p>
-
-<p>This was first fixed in
+ <p>This was first fixed in
<a href="http://svn.apache.org/viewvc?view=rev&rev=1137753">revision 1137753</a>,
but reverted in <a href="http://svn.apache.org/viewvc?view=rev&rev=1138776">revision 1138776</a> and
finally fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1138788">revision 1138788</a>.</p>
-
-<p>This was identified by the Tomcat security team on 20 June 2011 and
+ <p>This was identified by the Tomcat security team on 20 June 2011 and
made public on 12 August 2011.</p>
-
-<p>Affects: 7.0.0-7.0.16</p>
-
+ <p>Affects: 7.0.0-7.0.16</p>
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.14">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.14"><strong>Fixed in Apache Tomcat 7.0.14</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 12 May 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.14"><span style="float: right;">released 12 May 2011</span> Fixed in Apache Tomcat 7.0.14</h3><div class="text">
-
-<p>
-<strong>Important: Security constraint bypass</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1582" rel="nofollow">CVE-2011-1582</a>
-</p>
+ <p><strong>Important: Security constraint bypass</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1582" rel="nofollow">CVE-2011-1582</a></p>
-
-<p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
+ <p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
constraints configured via annotations were ignored on the first request
to a Servlet. Subsequent requests were secured correctly.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1100832">revision 1100832</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1100832">revision 1100832</a>.</p>
-
-<p>This was identified by the Tomcat security team on 13 April 2011 and
+ <p>This was identified by the Tomcat security team on 13 April 2011 and
made public on 17 May 2011.</p>
-
-<p>Affects: 7.0.12-7.0.13</p>
+ <p>Affects: 7.0.12-7.0.13</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.12">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.12"><strong>Fixed in Apache Tomcat 7.0.12</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 6 Apr 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.12"><span style="float: right;">released 6 Apr 2011</span> Fixed in Apache Tomcat 7.0.12</h3><div class="text">
-
-<p>
-<strong>Important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475" rel="nofollow">CVE-2011-1475</a>
-</p>
+ <p><strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475" rel="nofollow">CVE-2011-1475</a></p>
-
-<p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
+ <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
asynchronous requests did not fully account for HTTP pipelining. As a
result, when using HTTP pipelining a range of unexpected behaviours
occurred including the mixing up of responses between requests. While
@@ -1123,27 +449,20 @@
user, a mix-up of responses for requests from different users may also be
possible.</p>
-
-<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1086349">1086349</a> and
+ <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1086349">1086349</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1086352">1086352</a>.
(Note: HTTP pipelined requests are still likely to fail with the
HTTP BIO connector but will do so in a secure manner.)</p>
-
-<p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
+ <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
2011.</p>
-
-<p>Affects: 7.0.0-7.0.11</p>
+ <p>Affects: 7.0.0-7.0.11</p>
-
-<p>
-<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
-</p>
+ <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a></p>
-
-<p>Note: Mitre elected to break this issue down into multiple issues and
+ <p>Note: Mitre elected to break this issue down into multiple issues and
have allocated the following additional references to parts of this
issue:
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5062" rel="nofollow">CVE-2011-5062</a>,
@@ -1152,271 +471,123 @@
continue to treat this as a single issue using the reference
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>.</p>
-
-<p>The implementation of HTTP DIGEST authentication was discovered to have
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
several weaknesses:
<ul>
-
-<li>replay attacks were permitted</li>
-
-<li>server nonces were not checked</li>
-
-<li>client nonce counts were not checked</li>
-
-<li>qop values were not checked</li>
-
-<li>realm values were not checked</li>
-
-<li>the server secret was hard-coded to a known string</li>
-
-</ul>
+ <li>replay attacks were permitted</li>
+ <li>server nonces were not checked</li>
+ <li>client nonce counts were not checked</li>
+ <li>qop values were not checked</li>
+ <li>realm values were not checked</li>
+ <li>the server secret was hard-coded to a known string</li>
+ </ul>
The result of these weaknesses is that DIGEST authentication was only as
secure as BASIC authentication.
</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087655">revision 1087655</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087655">revision 1087655</a>.</p>
-
-<p>This was identified by the Tomcat security team on 16 March 2011 and
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
made public on 26 September 2011.</p>
-
-<p>Affects: 7.0.0-7.0.11</p>
+ <p>Affects: 7.0.0-7.0.11</p>
-
-<p>
-<strong>Important: Security constraint bypass</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183" rel="nofollow">CVE-2011-1183</a>
-</p>
+ <p><strong>Important: Security constraint bypass</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183" rel="nofollow">CVE-2011-1183</a></p>
-
-<p>A regression in the fix for CVE-2011-1088 meant that security constraints
+ <p>A regression in the fix for CVE-2011-1088 meant that security constraints
were ignored when no login configuration was present in the web.xml and
the web application was marked as meta-data complete.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087643">revision 1087643</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087643">revision 1087643</a>.</p>
-
-<p>This was identified by the Tomcat security team on 17 March 2011 and
+ <p>This was identified by the Tomcat security team on 17 March 2011 and
made public on 6 April 2011.</p>
-
-<p>Affects: 7.0.11</p>
+ <p>Affects: 7.0.11</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.11">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.11"><strong>Fixed in Apache Tomcat 7.0.11</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 11 Mar 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.11"><span style="float: right;">released 11 Mar 2011</span> Fixed in Apache Tomcat 7.0.11</h3><div class="text">
-
-<p>
-<strong>Important: Security constraint bypass</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1088" rel="nofollow">CVE-2011-1088</a>
-</p>
+ <p><strong>Important: Security constraint bypass</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1088" rel="nofollow">CVE-2011-1088</a></p>
-
-<p>When a web application was started, <code>ServletSecurity</code>
+ <p>When a web application was started, <code>ServletSecurity</code>
annotations were ignored. This meant that some areas of the application
may not have been protected as expected. This was partially fixed in
Apache Tomcat 7.0.10 and fully fixed in 7.0.11.</p>
-
-<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1076586">1076586</a>,
+ <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1076586">1076586</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1076587">1076587</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1077995">1077995</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1079752">1079752</a>.</p>
-
-<p>This was reported publicly on the Tomcat users mailing list on 2 Mar
+ <p>This was reported publicly on the Tomcat users mailing list on 2 Mar
2011.</p>
-
-<p>Affects: 7.0.0-7.0.10</p>
+ <p>Affects: 7.0.0-7.0.10</p>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.8">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.8"><strong>Fixed in Apache Tomcat 7.0.8</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 5 Feb 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.8"><span style="float: right;">released 5 Feb 2011</span> Fixed in Apache Tomcat 7.0.8</h3><div class="text">
-
-<p>
-<i>Note: The issue below was fixed in Apache Tomcat 7.0.7 but the
+ <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.7 but the
release vote for the 7.0.7 release candidate did not pass. Therefore,
although users must download 7.0.8 to obtain a version that includes a
fix for this issue, version 7.0.7 is not included in the list of
- affected versions.</i>
-</p>
+ affected versions.</i></p>
-
-<p>
-<strong>Important: Remote Denial Of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534" rel="nofollow">CVE-2011-0534</a>
-</p>
+ <p><strong>Important: Remote Denial Of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534" rel="nofollow">CVE-2011-0534</a></p>
-
-<p>The NIO connector expands its buffer endlessly during request line
+ <p>The NIO connector expands its buffer endlessly during request line
processing. That behaviour can be used for a denial of service attack
using a carefully crafted request.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1065939">revision 1065939</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1065939">revision 1065939</a>.</p>
-
-<p>This was identified by the Tomcat security team on 27 Jan 2011 and
+ <p>This was identified by the Tomcat security team on 27 Jan 2011 and
made public on 5 Feb 2011.</p>
-
-<p>Affects: 7.0.0-7.0.6</p>
+ <p>Affects: 7.0.0-7.0.6</p>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.6"><span style="float: right;">released 14 Jan 2011</span> Fixed in Apache Tomcat 7.0.6</h3><div class="text">
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.6">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.6"><strong>Fixed in Apache Tomcat 7.0.6</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 14 Jan 2011</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
-
-
-<p>
-<strong>Low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013" rel="nofollow">CVE-2011-0013</a>
-</p>
+ <p><strong>Low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013" rel="nofollow">CVE-2011-0013</a></p>
-
-<p>The HTML Manager interface displayed web application provided data, such
+ <p>The HTML Manager interface displayed web application provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administrative user when viewing the
manager pages.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1057279">revision 1057279</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1057279">revision 1057279</a>.</p>
-
-<p>This was identified by the Tomcat security team on 12 Nov 2010 and
+ <p>This was identified by the Tomcat security team on 12 Nov 2010 and
made public on 5 Feb 2011.</p>
-
-<p>Affects: 7.0.0-7.0.5</p>
+ <p>Affects: 7.0.0-7.0.5</p>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.5"><span style="float: right;">released 1 Dec 2010</span> Fixed in Apache Tomcat 7.0.5</h3><div class="text">
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.5">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.5"><strong>Fixed in Apache Tomcat 7.0.5</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 Dec 2010</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
-
-
-<p>
-<strong>Low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172" rel="nofollow">CVE-2010-4172</a>
-</p>
+ <p><strong>Low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172" rel="nofollow">CVE-2010-4172</a></p>
-
-<p>The Manager application used the user provided parameters sort and
+ <p>The Manager application used the user provided parameters sort and
orderBy directly without filtering thereby permitting cross-site
scripting. The CSRF protection, which is enabled by default, prevents an
attacker from exploiting this.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1037778">revision 1037778</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1037778">revision 1037778</a>.</p>
-
-<p>This was first reported to the Tomcat security team on 15 Nov 2010 and
+ <p>This was first reported to the Tomcat security team on 15 Nov 2010 and
made public on 22 Nov 2010.</p>
-
-<p>Affects: 7.0.0-7.0.4</p>
-
+ <p>Affects: 7.0.0-7.0.4</p>
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.4">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.4"><strong>Fixed in Apache Tomcat 7.0.4</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 21 Oct 2010</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.4"><span style="float: right;">released 21 Oct 2010</span> Fixed in Apache Tomcat 7.0.4</h3><div class="text">
-
-<p>
-<strong>Low: SecurityManager file permission bypass</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718" rel="nofollow">CVE-2010-3718</a>
-</p>
+ <p><strong>Low: SecurityManager file permission bypass</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718" rel="nofollow">CVE-2010-3718</a></p>
-
-<p>When running under a SecurityManager, access to the file system is
+ <p>When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
@@ -1430,107 +601,51 @@
applicable when hosting web applications from untrusted sources such as
shared hosting environments.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1022134">revision 1022134</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1022134">revision 1022134</a>.</p>
-
-<p>This was discovered by the Tomcat security team on 12 Oct 2010 and
+ <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
made public on 5 Feb 2011.</p>
-
-<p>Affects: 7.0.0-7.0.3</p>
-
+ <p>Affects: 7.0.0-7.0.3</p>
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.2">
-<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.2"><strong>Fixed in Apache Tomcat 7.0.2</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 11 Aug 2010</strong></font></td>
-</tr>
-<tr>
-<td colspan="2">
-<p>
-<blockquote>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.2"><span style="float: right;">released 11 Aug 2010</span> Fixed in Apache Tomcat 7.0.2</h3><div class="text">
-
-<p>
-<i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the
+ <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the
release vote for the 7.0.1 release candidate did not pass. Therefore,
although users must download 7.0.2 to obtain a version that includes a
fix for this issue, version 7.0.2 is not included in the list of
- affected versions.</i>
-</p>
+ affected versions.</i></p>
-
-<p>
-<strong>Important: Remote Denial Of Service and Information Disclosure
+ <p><strong>Important: Remote Denial Of Service and Information Disclosure
Vulnerability</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" rel="nofollow">CVE-2010-2227</a>
-</p>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" rel="nofollow">CVE-2010-2227</a></p>
-
-<p>Several flaws in the handling of the 'Transfer-Encoding' header were
+ <p>Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
trigger this flaw which would cause subsequent requests to fail and/or
information to leak between requests. This flaw is mitigated if Tomcat is
behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
reject the invalid transfer encoding header.</p>
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=958911">revision 958911</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=958911">revision 958911</a>.</p>
-
-<p>This was first reported to the Tomcat security team on 14 Jun 2010 and
+ <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
made public on 9 Jul 2010.</p>
-
-<p>Affects: 7.0.0</p>
+ <p>Affects: 7.0.0</p>
+ </div><h3 id="Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</h3><div class="text">
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Not a vulnerability in Tomcat">
-<!--()--></a><a name="Not_a_vulnerability_in_Tomcat"><strong>Not a vulnerability in Tomcat</strong></a></font></td>
-</tr>
-<tr>
-<td>
-<p>
-<blockquote>
-
-
-<p>
-<strong>Low: Denial Of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a>
-</p>
+ <p><strong>Low: Denial Of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568" rel="nofollow">CVE-2012-5568</a></p>
-
-<p>Sending an HTTP request 1 byte at a time will consume a thread from the
+ <p>Sending an HTTP request 1 byte at a time will consume a thread from the
connection pool until the request has been fully processed if using the
BIO or APR/native HTTP connectors. Multiple requests may be used to
consume all threads in the connection pool thereby creating a denial of
service.</p>
-
-<p>Since the relationship between the client side resources and server side
+ <p>Since the relationship between the client side resources and server side
resources is a linear one, this issue is not something that the Tomcat
Security Team views as a vulnerability. This is a generic DoS problem and
there is no magic solution. This issue has been discussed several times
@@ -1539,139 +654,85 @@
<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
54236</a>.</p>
-
-<p>This was first discussed on the public Tomcat users mailing list on 19
+ <p>This was first discussed on the public Tomcat users mailing list on 19
June 2009.</p>
-
-<p>Affects: 7.0.0-7.0.x</p>
+ <p>Affects: 7.0.0-7.0.x</p>
-
-<p>
-<strong>Important: Remote Denial Of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
-</p>
+ <p><strong>Important: Remote Denial Of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a></p>
-
-<p>A JVM bug could cause Double conversion to hang JVM when accessing to a
+ <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
form based security constrained page or any page that calls
javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales(). A specially crafted request
can be used to trigger a denial of service.
</p>
-
-<p>A work-around for this JVM bug was provided in
+ <p>A work-around for this JVM bug was provided in
<a href="http://svn.apache.org/viewvc?view=rev&rev=1066244">revision 1066244</a>.</p>
-
-<p>This was first reported to the Tomcat security team on 01 Feb 2011 and
+ <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
made public on 31 Jan 2011.</p>
-
-<p>Affects: 7.0.0-7.0.6</p>
+ <p>Affects: 7.0.0-7.0.6</p>
-
-<p>
-<strong>Moderate: TLS SSL Man In The Middle</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
-</p>
+ <p><strong>Moderate: TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a></p>
-
-<p>A vulnerability exists in the TLS protocol that allows an attacker to
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.</p>
-
-<p>The TLS implementation used by Tomcat varies with connector. The blocking
+ <p>The TLS implementation used by Tomcat varies with connector. The blocking
IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
provided by the JVM. The APR/native connector uses OpenSSL.</p>
-
-<p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+ <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
To workaround a vulnerable version of JSSE, use the connector attribute
<code>allowUnsafeLegacyRenegotiation</code>. It should be set to
<code>false</code> (the default) to protect against this vulnerability.
</p>
-
-<p>The NIO connector prior to 7.0.10 is not vulnerable as it does not
+ <p>The NIO connector prior to 7.0.10 is not vulnerable as it does not
support renegotiation.</p>
-
-<p>The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE
+ <p>The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE
version used is vulnerable. To workaround a vulnerable version of JSSE,
use the connector attribute <code>allowUnsafeLegacyRenegotiation</code>.
It should be set to <code>false</code> (the default) to protect against
this vulnerability.</p>
-
-<p>The APR/native workarounds are detailed on the
+ <p>The APR/native workarounds are detailed on the
<a href="security-native.html">APR/native connector security page</a>.
</p>
-
-<p>Users should be aware that the impact of disabling renegotiation will
+ <p>Users should be aware that the impact of disabling renegotiation will
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the
application.</p>
-
-<p>This was worked-around in
+ <p>This was worked-around in
<a href="http://svn.apache.org/viewvc?view=rev&rev=882320">revision 891292</a>.</p>
-
-<p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+ <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
have this security issue:</p>
-
-<ul>
-
-<li>For connectors using JSSE implementation provided by JVM:
+ <ul>
+ <li>For connectors using JSSE implementation provided by JVM:
Added in Tomcat 7.0.8.<br>
Requires JRE that supports RFC 5746. For Oracle JRE that is
<a rel="nofollow" href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
to be 6u22 or later.
</li>
-
-<li>For connectors using APR and OpenSSL:<br>
+ <li>For connectors using APR and OpenSSL:<br>
TBD. See
<a href="security-native.html">APR/native connector security page</a>.
</li>
-
-</ul>
+ </ul>
-
-</blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br>
-</td>
-</tr>
-</table>
-</td>
-</tr>
-<!--FOOTER SEPARATOR-->
-<tr>
-<td colspan="2">
-<hr noshade size="1">
-</td>
-</tr>
-<!--PAGE FOOTER-->
-<tr>
-<td colspan="2">
-<div align="center">
-<font color="#525D76" size="-1"><em>
- Copyright © 1999-2013, The Apache Software Foundation
- <br>
- Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
- project logo are trademarks of the Apache Software Foundation.
- </em></font>
-</div>
-</td>
-</tr>
-</table>
-</body>
-</html>
+ </div></main></div></div></div></div><footer id="footer">
+ Copyright © 1999-2013, The Apache Software Foundation
+ <br>
+ Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
+ project logo are trademarks of the Apache Software Foundation.
+ </footer></div></body></html>
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org