[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Exact Tomcat Version

nakamuram do-not-reply at jboss.com
Fri Feb 29 11:59:52 EST 2008


What version of Tomcat is JBOSS 4.2.2GA base on?  

The reason for my question is because some Security Vulnerabilities have been identified in Tomcat and we need to know if upgrading to a later version of JBOSS will fix our problem.  Here is a description of the vulnerabilities:

7.1 (U) Apache Tomcat 6.0.5 - 6.0.15 Information Disclosure Vulnerability: Apache reports that if an exception occurs during the processing of parameters, such as the client disconnecting, then it is possible the parameters submitted for the request will be incorrectly processed as part of a subsequent request. To exploit this vulnerability, an unauthenticated remote attacker would locate a site hosting a vulnerable version of the Adobe Tomcat application, then wait for an unsuspecting user to transmit data to the server. Once transmitted, the attacker would cause the user/client to disconnect during the transmission and initiate their own connection with the user's parameters as part of the attackers request. The successful exploitation of this vulnerability could allow a remote attacker access to sensitive information which could be used in later attacks. 

7.2 (U) Apache Tomcat Data Integrity Vulnerability: Apache reports several versions of Tomcat (5.5.11 - 5.5.25 and 6.0.0 - 6.0.15) do not properly handle an empty request to a SSL port using netcat when the native Apache Portable Runtime (APR) connector is used. The successful exploitation of this vulnerability could allow an unauthenticated remote attacker to trigger a handling of "a duplicate copy of one of the recent requests".

7.3 (U) Apache Tomcat WebDAV Servlet Information Disclosure Vulnerability: Apache reports an information disclosure vulnerability associated with the WebDAV servlet in several Tomcat versions (4.0.0 - 4.0.6, 4.1.0, 5.0.0, 5.5.0 - 5.5.25, and 6.0.0 - 6.0.14). When the WebDAV servlet is configured for use with a context and has been enabled for write, some WebDAV requests specify an entity with a SYSTEM tag can result in the disclosure of information to the client issuing the request. To exploit this vulnerability, an authenticated remote attacker could gain access to a vulnerable webserver and could create a maliciously crafted HTTP WebDAV Lock request for a file that the attacker has permissions to access, as well as referencing another remote file. The WebDav 'Lock' function would process the attacker's request, making the remote file available to them. 

Note: An exploit code has been developed for this vulnerability which is publically available.

7.4 (U) Apache Tomcat JULI Vulnerability: Apache reports that the default catalina.policy in the JULI logging component in several Tomcat versions (5.5.9 - 5.5.25 and 6.0.0 - 6.0.15) does not restrict certain permissions for web applications. To exploit this vulnerability, an unauthenticated local attacker would construct a maliciously crafted Java web application which could contain a malicious logging configuration which is designed to leverage this vulnerability. The attacker would then gain local, interactive access to a vulnerable webserver, and then install and execute the malicious application. The application would write the log files, using the permissions of the user running the server. The successful exploitation of this vulnerability could allow an attacker to modify logging configuration options and overwrite arbitrary files, as well as having access to sensitive information.

Note: JULI is enabled by default in Tomcat 6.0, and supports per classloader configuration, in addition to the regular global java.util.logging configuration.

7.5 (U) Apache Tomcat Session Hi-jacking Vulnerability: Apache reports that several versions of Tomcat do not properly handle (1) double quote (") characters, or (2) %5C (encoded backslash) sequences in a cookie value. To exploit this vulnerability, an unauthenticated remote attacker would need to locate a network-accessible instance of a server hosting a vulnerable application (6.0.0 - 6.0.14, 5.5.0 - 5.5.25, and 4.1.0 - 4.1.36). A maliciously crafted web page or URI would be created by the attacker, to include either or both of this conditions, and distribute this webpage/URI to an unsuspecting user. When the user views this webpage or follows this URI link, the user's server would note be able to properly handle the cookie data, and the user's information would be disclosed to the attacker which could enable the attacker to ultimately hijack the user's session.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133296#4133296

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4133296



More information about the jboss-user mailing list