[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Patch available on JBOSS3.2.6 which will have Tomcat latest
anaghah_dolein
do-not-reply at jboss.com
Wed Oct 22 08:28:28 EDT 2008
Hi,
We have deployed our web application on JBOSS3.2.6. We run one security tool on that its report has displayed one vulnerability issue as
QID: 86789 CVSS Base: 4.3 [1]
Category: Web server CVSS Temporal: 3.4
CVE ID: CVE-2005-2090
Vendor Reference: Apache Tomcat 4, Apache Tomcat 5, Apache Tomcat 6
Bugtraq ID: 13873
Modified: 07/14/2008
Edited: No
THREAT:
This vulnerability exists in Apache Tomcat Versions 4, 5 and 6 when the server doesn't reject multiple content length header requests.
IMPACT:
When these kinds of requests are processed by firewalls, caches, proxies and Tomcat, they may result in Web cache poisoning, XSS attack and information
disclosure.
When we search for this issue on Tomacat site we found its fix on Tomcat 5.5.23 version.
So do we have any patch on JBOSS3.2.6 which will encorporate this issue fix or latest tomcat.
2) Or do we have procedure where we can configure some this tomcat version by disabling the default one availabe in server.
http://tomcat.apache.org/security-5.html
Regards
Anagha
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4183827#4183827
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4183827
More information about the jboss-user
mailing list