JVN#63832775: Apache Tomcat information disclosure vulnerability

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may allow information disclosure or access to the contents contained in the WEB-INF directory.

Impact

A remote attacker could possibly obtain information such as configuration or user credentials contained in the application which resides under the WEB-INF directory.

Solution

Update the Software

Update to Apache Tomcat 6.0.20 according to the information provided by the developer.

For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving the vulnerability. Users of Apache Tomcat 5.5.x and 4.1.x should obtain the latest source code from svn, or update to Apache Tomcat 5.5.28 and 4.1.40 once they are released.

For more information, refer to the developer’s website.

Products Affected

• Apache Tomcat 4.1.0 to 4.1.39
• Apache Tomcat 5.5.0 to 5.5.27
• Apache Tomcat 6.0.0 to 6.0.18
  According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
  For more information, refer to the developer’s website.