What version of Tomcat is JBOSS 4.2.2GA base on?
The reason for my question is because some Security Vulnerabilities have been identified
in Tomcat and we need to know if upgrading to a later version of JBOSS will fix our
problem. Here is a description of the vulnerabilities:
7.1 (U) Apache Tomcat 6.0.5 - 6.0.15 Information Disclosure Vulnerability: Apache reports
that if an exception occurs during the processing of parameters, such as the client
disconnecting, then it is possible the parameters submitted for the request will be
incorrectly processed as part of a subsequent request. To exploit this vulnerability, an
unauthenticated remote attacker would locate a site hosting a vulnerable version of the
Adobe Tomcat application, then wait for an unsuspecting user to transmit data to the
server. Once transmitted, the attacker would cause the user/client to disconnect during
the transmission and initiate their own connection with the user's parameters as part
of the attackers request. The successful exploitation of this vulnerability could allow a
remote attacker access to sensitive information which could be used in later attacks.
7.2 (U) Apache Tomcat Data Integrity Vulnerability: Apache reports several versions of
Tomcat (5.5.11 - 5.5.25 and 6.0.0 - 6.0.15) do not properly handle an empty request to a
SSL port using netcat when the native Apache Portable Runtime (APR) connector is used. The
successful exploitation of this vulnerability could allow an unauthenticated remote
attacker to trigger a handling of "a duplicate copy of one of the recent
requests".
7.3 (U) Apache Tomcat WebDAV Servlet Information Disclosure Vulnerability: Apache reports
an information disclosure vulnerability associated with the WebDAV servlet in several
Tomcat versions (4.0.0 - 4.0.6, 4.1.0, 5.0.0, 5.5.0 - 5.5.25, and 6.0.0 - 6.0.14). When
the WebDAV servlet is configured for use with a context and has been enabled for write,
some WebDAV requests specify an entity with a SYSTEM tag can result in the disclosure of
information to the client issuing the request. To exploit this vulnerability, an
authenticated remote attacker could gain access to a vulnerable webserver and could create
a maliciously crafted HTTP WebDAV Lock request for a file that the attacker has
permissions to access, as well as referencing another remote file. The WebDav
'Lock' function would process the attacker's request, making the remote file
available to them.
Note: An exploit code has been developed for this vulnerability which is publically
available.
7.4 (U) Apache Tomcat JULI Vulnerability: Apache reports that the default catalina.policy
in the JULI logging component in several Tomcat versions (5.5.9 - 5.5.25 and 6.0.0 -
6.0.15) does not restrict certain permissions for web applications. To exploit this
vulnerability, an unauthenticated local attacker would construct a maliciously crafted
Java web application which could contain a malicious logging configuration which is
designed to leverage this vulnerability. The attacker would then gain local, interactive
access to a vulnerable webserver, and then install and execute the malicious application.
The application would write the log files, using the permissions of the user running the
server. The successful exploitation of this vulnerability could allow an attacker to
modify logging configuration options and overwrite arbitrary files, as well as having
access to sensitive information.
Note: JULI is enabled by default in Tomcat 6.0, and supports per classloader
configuration, in addition to the regular global java.util.logging configuration.
7.5 (U) Apache Tomcat Session Hi-jacking Vulnerability: Apache reports that several
versions of Tomcat do not properly handle (1) double quote (") characters, or (2) %5C
(encoded backslash) sequences in a cookie value. To exploit this vulnerability, an
unauthenticated remote attacker would need to locate a network-accessible instance of a
server hosting a vulnerable application (6.0.0 - 6.0.14, 5.5.0 - 5.5.25, and 4.1.0 -
4.1.36). A maliciously crafted web page or URI would be created by the attacker, to
include either or both of this conditions, and distribute this webpage/URI to an
unsuspecting user. When the user views this webpage or follows this URI link, the
user's server would note be able to properly handle the cookie data, and the
user's information would be disclosed to the attacker which could enable the attacker
to ultimately hijack the user's session.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133296#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...