Apache Tomcat information disclosure

2008.10.14
Credit: Mark Thomas
Risk: Low
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-3271: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.31 Tomcat 5.5.0 Tomcat 6.0.x is not affected The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can, in very rare circumstances, permit a user from a non-permitted IP address to gain access to a context protected with a valve that extends RemoteFilterValve. Mitigation: Upgrade to: 4.1.32 or later 5.5.1 or later 6.0.0 or later Example: This has only been reproduced using a debugger to force a particular processing sequence across two threads. 1. Set a breakpoint right after the place where a value is to be entered in the instance variable of regexp (search:org.apache.regexp.CharacterIterator). 2. Send a request from the IP address* which is not permitted. (stopped at the breakpoint) *About the IP address which is not permitted. The character strings length of the IP address which is set in RemoteAddrValve must be same. 3. Send a request from the IP address which was set in RemoteAddrValve. (stopped at the breakpoint) In this way, the instance variable is to be overwritten here. 4. Resume the thread which is processing the step 2 above. 5. The request from the not permitted IP address will succeed. Credit: This issue was discovered by Kenichi Tsukamoto (Development Dept. II, Application Management Middleware Div., FUJITSU LIMITED) and reported to the Tomcat security team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj =9Z/F -----END PGP SIGNATURE-----

References:

https://issues.apache.org/bugzilla/show_bug.cgi?id=25835
http://www.securityfocus.com/bid/31698
http://www.securityfocus.com/archive/1/archive/1/497220/100/0/threaded
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
http://secunia.com/advisories/32234
http://jvn.jp/en/jp/JVN30732239/index.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top