Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0145 -- [Win][UNIX/Linux] New versions of Apache Tomcat correct multiple vulnerabilities 21 February 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Tomcat 6.0.15 and prior Apache Tomcat 5.5.25 and prior Apache Tomcat 4.1.36 and prior Publisher: Apache Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Access Confidential Data Access: Remote/Unauthenticated CVE Names: CVE-2007-6286 CVE-2007-5333 CVE-2008-0002 Ref: ESB-2007.0629 Comment: This ESB contains three (3) seperate Apache advisories. Tomcat 4.1.37 stable has been released addressing the vulnerabilities mentioned in this advisory. It is available from http://tomcat.apache.org/download-41.cgi Revision History: February 21 2008: Tomcat 4.1.37 stable released. February 11 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2007-6286: Tomcat duplicate request processing vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.11 to 5.5.25 Tomcat 6.0.0 to 6.0.15 Description: When using the native (APR based) connector, connecting to the SSL port using netcat and then disconnecting without sending any data will cause tomcat to handle a duplicate copy of one of the recent requests. Mitigation: 6.0.x users should upgrade to 6.0.16 which includes version 1.1.12 of the native connector. 5.5.x users should upgrade to 5.5.26 which includes version 1.1.12 of the native connector. Example: See description. Credit: This issue was discovered by System Core (http://www.systemcore.ca/). References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrOcwb7IeiTPGAkMRAq+NAJ45EswKdmWWGfG8r1pr+8TMXzBHCgCePkK0 SYpXhEieSJHQcsO/rxN0ylY= =JK4t - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2007-5333: Tomcat Cookie handling vulnerabilities Severity: low - Session hi-jacking Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.36 Tomcat 5.5.0 to 5.5.25 Tomcat 6.0.0 to 6.0.14 Description: The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value. Mitigation: 6.0.x users should upgrade to Tomcat 6.0.16 or later 5.5.x users should upgrade to Tomcat 5.5.26 or later 4.1.x users should build from the latest svn source Examples: +++ GET /myapp/MyCookies HTTP/1.1 Host: localhost Cookie: name="val " ue" Cookie: name1=moi +++ http://example:8080/examples/servlets/servlet/CookieExample?cookiename=test&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B Credit: The quotes issue was reported by John Kew. The %5C issue was reported by Ishikawa Yoshihiro via JPCERT/CC. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrONyb7IeiTPGAkMRAgKrAJwIX1fbtGT7iualwzRK8BDi+QRAkQCg3cMo 58hTHdwJzeFxLXgkLRQwBKk= =Dnsp - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-0002: Tomcat information disclosure vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: Tomcat 6.0.5 to 6.0.15 Description: If an exception occurs during the processing of parameters (eg if the client disconnects) then it is possible that the parameters submitted for that request will be incorrectly processed as part of a following request. Mitigation: 6.0.x users should upgrade to 6.0.16 or later. Example: See description. Credit: This issue was discovered by Chitrapandian N of AdventNet Inc. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrNaZb7IeiTPGAkMRAgRxAKCjiAu1kTbKcE4mo0azKvtakl3u/wCcD8Vk S5EZi3e+Da7+99Jkxb/jzn8= =rUWc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR7zLIyh9+71yA2DNAQJUvQP+O++wgReu8UciTx/RihV9eNh/f0qohGxA Iej8B/BAmNr3dfMaQk9V6gMtRSglQVz4VrDNhX/dtMkIj51oxNEOIU/JVKgvVbEN XYZsaFzbzOm7XoM+AO1omjzH4OhPZcKiNPFTdmmeiZmYvXwNy6VunnyvXxQAgJRG UMupq+DSMQE= =FaYr -----END PGP SIGNATURE-----