Date: 12 July 2010
References: ESB-2010.0671 ESB-2010.0672 ESB-2010.0818 ESB-2010.1072 ESB-2011.0355 ESB-2011.0430 ESB-2011.1034 ASB-2012.0008 ESB-2013.0466
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0604
Apache Tomcat Remote Denial Of Service and Information
Disclosure Vulnerability
12 July 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Tomcat
Publisher: Apache
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-2227
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information
Disclosure Vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 5.5.0 to 5.5.29
Tomcat 6.0.0 to 6.0.27
Tomcat 7.0.0
Note: 7.0.0 is still beta.
Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be
affected.
Description:
Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
trigger this flaw which would cause subsequent requests to fail and/or
information to leak between requests.
Mitigation:
- - - Tomcat 5.5.x users should upgrade to 5.5.30 or apply this patch:
http://svn.apache.org/viewvc?view=revision&revision=959428
- - - Tomcat 6.0.x users should upgrade to 6.0.28 or apply this patch:
http://svn.apache.org/viewvc?view=revision&revision=958977
- - - Tomcat 7.0.x users should upgrade to 7.0.1 when released or apply this
patch:
http://svn.apache.org/viewvc?view=revision&revision=958911
- - - All users may mitigate this flaw by running Tomcat behind a reverse
proxy (such as Apache httpd 2.2) that rejects invalid values for
Transfer-Encoding.
Credit:
This issue was discovered by Steve Jones
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
The Apache Tomcat Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJMN07EAAoJEBDAHFovYFnn8U4P/2wJuP+JYoqeIpPJwK7stqfd
jKO01S999v9lnYpIfPXEaFgGXTedo7BYo4X+OTuR7OLiAR6DVa1PhVzDd4bzoeW3
sY9zbOiXEvM6Ps5eVPJuR9P4YVs8O6qeLA8UKWV28KIFX/N4hZ5KAAJTSdlP0DuB
2dLB8cWtldTJrYmLVXbG//1j4S/k/PfHU/+MpZRIs8GWUPOpCxrWyvg+rTQN2zWP
iKsUzEEfXyoeHJmD/KM7OTbxfmL0HsUgeHPUBi4A6zPZt6e8614MZcr9FuwK4BBt
+8lCrZhP9XgxbTqp2qMRtF49ObK2gWVav3o2uruaK6NDvGLrAjgvV+mCxKVx6yjl
i9kL1K8S1FIO2eqTdVrQulega2NatYJxyG2ofDsb92+6mio/vLYKBxtI4bworQli
Vf/EWmYCuueKrZzde6k+HWhy9cR8JFdws/EGZ5UUaMiVB5Rvk5jPHwBgJDUdnSqC
75HEQBTsowsVKLGuHSnIjkg4B0IiAT6COsOsTfXsUSUn8f95a40GTynE70xvL0Ii
17wr2aK3fC8z9XG3Grbx1s4KiIW41iPBDSh9I7WWSQ+hhq+VHsBKJoubQsWW4qVb
sRuMx6kHTRq1DqEiTtAQFdMiE1oyDNB1ro99j44LH4azJvi5hS5S5R5QOyt9PshE
x6KDdVdqZF3+d64YwjtE
=KHN9
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMOkjh/iFOrG6YcBERArr7AJ9GnOB2lQ5kRabo9qDRV+5R+r2CdgCeInPs
psRZXNhu/oagBl1lOWgms9Q=
=keGI
-----END PGP SIGNATURE-----
|