Apache Tomcat 7 ignores ServletSecurity annotations

2011.03.17
Credit: Mark
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

As reported on the users list [1], both Tomcat 7.0.8 and the latest Tomcat 7 code from svn appear to ignore @ServletSecurity annotations. Assuming this issue is confirmed, it may lead to authentication bypass and information disclosure. The exact details are still being investigated but this e-mail is being provided to give users early warning of this public issue. If code changes are required to address this, they will be included in the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is expected to start once the investigation of this issue is complete. Mark on behalf of the Apache Tomcat security team [1] http://markmail.org/message/yzmyn44f5aetmm2r

References:

http://svn.apache.org/viewvc?view=revision&revision=1079752
http://xforce.iss.net/xforce/xfdb/65971
http://www.vupen.com/english/advisories/2011/0563
http://www.securityfocus.com/bid/46685
http://www.osvdb.org/71027
http://tomcat.apache.org/security-7.html
http://secunia.com/advisories/43684
http://markmail.org/message/yzmyn44f5aetmm2r
http://markmail.org/message/lzx5273wsgl5pob6
http://marc.info/?l=tomcat-user&m=129966773405409&w=2
http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top