You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Leon Rosenberg <ro...@gmail.com> on 2011/02/11 00:03:59 UTC
CVE-2010-4476 - is it fixed or not?
Hi,
short question, I read in the http://tomcat.apache.org/security-6.html
that a possible DoS attack vulnerability has been fixed in Request
class.
Does that mean that CVE-2010-4476 is
a) not an issue with 6.0.32++
b) not an issue unless the app uses Double.parseDouble
c) probably not in issue in tomcat, at least until someone finds out it is.
regards
Leon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2010-4476 - is it fixed or not?
Posted by Mladen Turk <mt...@apache.org>.
On 02/11/2011 10:42 AM, Mark Thomas wrote:
>
>> b) not an issue unless the app uses Double.parseDouble
> False. As per the announcement sent to all the usual places:
> <quote>
> Tomcat is affected when accessing a form based security constrained
> page or any page that calls javax.servlet.ServletRequest.getLocale() or
> javax.servlet.ServletRequest.getLocales().
> </quote>
>
I'd add that the app needs a workaround as well if directly parsing
the problematic user/wire data (without patched JVM)
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2010-4476 - is it fixed or not?
Posted by Mark Thomas <ma...@apache.org>.
On 10/02/2011 23:03, Leon Rosenberg wrote:
> Hi,
>
> short question, I read in the http://tomcat.apache.org/security-6.html
> that a possible DoS attack vulnerability has been fixed in Request
> class.
> Does that mean that CVE-2010-4476 is
> a) not an issue with 6.0.32++
True. Also not an issue with 7.0.8+ and 5.5.33+
> b) not an issue unless the app uses Double.parseDouble
False. As per the announcement sent to all the usual places:
<quote>
Tomcat is affected when accessing a form based security constrained
page or any page that calls javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales().
</quote>
> c) probably not in issue in tomcat, at least until someone finds out it is.
False. See above.
I would add that Oracle have now released a patch for 1.6.0_23. If
running on a patched JVM, CVE-2010-4476 is not an issue for *any* Tomcat
version.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2010-4476 - is it fixed or not?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Leon,
On 2/10/2011 6:03 PM, Leon Rosenberg wrote:
> short question, I read in the http://tomcat.apache.org/security-6.html
> that a possible DoS attack vulnerability has been fixed in Request
> class.
> Does that mean that CVE-2010-4476 is
> a) not an issue with 6.0.32++
> b) not an issue unless the app uses Double.parseDouble
> c) probably not in issue in tomcat, at least until someone finds out it is.
Tomcat uses Double.parseDouble in a few places that have not been
addressed, but they are used for parsing values supplied by the
administrator or webapp developer (like parsing the <web-app> version
string, for instance). This appears to be the only use of
Double.parseDouble in Tomcat that could really be considered vulnerable.
If you want to protect yourself entirely, consider upgrading or using
the "fpupdate" program which patches your installation's rt.jar file. I
have done this on all my servers.
If you want to protect yourself on all Tomcat versions but still be
vulnerable to application use of Double.parseDouble, see my followups to
Mark's announcement this week: I show you how to protect Tomcat using
two different techniques with Apache httpd... these could easily be
adapted to use UrlRewrite if you aren't using a web server in front of
Tomcat.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1VY4IACgkQ9CaO5/Lv0PDGXACfcstSTQ/4uZCaQ4EL6+4S0Rl+
V8YAoIkZqeq7rdXbwSi7bQs85ndmO0r+
=6h/3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org