Apache Tomcat Information Disclosure

Apache Tomcat Information Disclosure: Posted Jun 4, 2009; Authored by Mark Thomas | Site tomcat.apache.org; Apache Tomcat suffers from a XML parser replacement related information disclosure vulnerability. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.; tags | advisory, info disclosure; advisories | CVE-2009-0783; SHA-256 | c2b64deb31914b487990416282c15bcbf60ade318ae9adeff66567f4a45f4d69; Download | Favorite | View

Apache Tomcat Information Disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-0783: Apache Tomcat information disclosure vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39

The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.

Description:
Bugs https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 allowed a web
application to replace the XML parser used by Tomcat to process web.xml,
context.xml and tld files. If a web application is the first web
application loaded, these bugs allow that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.

Mitigation:
6.0.x users should do one of the following:
 - upgrade to 6.0.20
 - apply these patches
   - http://svn.apache.org/viewvc?rev=739522&view=rev
   - http://svn.apache.org/viewvc?rev=652592&view=rev
5.5.x users should do one of the following:
 - upgrade to 5.5.28 when released
 - apply these patches
   - http://svn.apache.org/viewvc?rev=781542&view=rev
   - http://svn.apache.org/viewvc?rev=681156&view=rev
4.1.x users should do one of the following:
 - upgrade to 4.1.40 when released
 - apply this patch http://svn.apache.org/viewvc?rev=781708&view=rev

Example:
See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an
example web application that can be used to replace the XML parser used
by Tomcat.

Credit:
The security implications of these bugs was discovered and reported to
the Apache Software Foundation by Philippe Prados.


References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html

The Apache Tomcat Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkonw6EACgkQb7IeiTPGAkM8qACgyxH+hBK4r4DprZhIqd97x/V1
/7EAnRMaJsKIoPzBQgOtOhM3vOCtyL+F
=B+Gu
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 297 files
Ubuntu 69 files
Debian 20 files
Gentoo 8 files
Apple 6 files
Google Security Research 4 files
LiquidWorm 4 files
Spencer McIntyre 3 files
Alter Prime 3 files
Jann Horn 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Apache Tomcat Information Disclosure

Apache Tomcat Information Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Apache Tomcat Information Disclosure

Share This

Apache Tomcat Information Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems