Lucene search

K
gentooGentoo FoundationGLSA-200804-10
HistoryApr 10, 2008 - 12:00 a.m.

Tomcat: Multiple vulnerabilities

2008-04-1000:00:00
Gentoo Foundation
security.gentoo.org
29

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

AI Score

5.7

Confidence

Low

EPSS

0.125

Percentile

95.6%

Background

Tomcat is the Apache Jakarta Project’s official implementation of Java Servlets and Java Server Pages.

Description

The following vulnerabilities were reported:

  • Delian Krustev discovered that the JULI logging component does not properly enforce access restrictions, allowing web application to add or overwrite files (CVE-2007-5342).
  • When the native APR connector is used, Tomcat does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of a duplicate copy of one of the recent requests (CVE-2007-6286).
  • If the processing or parameters is interrupted, i.e. by an exception, then it is possible for the parameters to be processed as part of later request (CVE-2008-0002).
  • An absolute path traversal vulnerability exists due to the way that WebDAV write requests are handled (CVE-2007-5461).
  • Tomcat does not properly handle double quote (") characters or %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks (CVE-2007-5333).

Impact

These vulnerabilities can be exploited by:

  • a malicious web application to add or overwrite files with the permissions of the user running Tomcat.
  • a remote attacker to conduct session hijacking or disclose sensitive data.

Workaround

There is no known workaround at this time.

Resolution

All Tomcat 5.5.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-5.5.26"

All Tomcat 6.0.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.16"
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-servers/tomcat< 6.0.16UNKNOWN

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

AI Score

5.7

Confidence

Low

EPSS

0.125

Percentile

95.6%