JVN#79314822: Tomcat vulnerable in request processing

Apache Tomcat, an implementation of the Java Servlet and JavaServer Pages technologies, contains a vulnerability in processing specific requests.

The Apache Software Foundation currently does not support AJP 1.3 Connector, and recommends the use of Coyote JK Connector instead. It also recommends users to upgrade from Tomcat 4.x to Tomcat 5.x.

To avoid this vulnerability, use the connectors other than AJP 1.3 Connector when connecting Apache Tomcat to a web server. Apache Tomcat supports Coyote JK Connector and Coyote HTTP/1.1 Connector.

The Information-technology Promotion Agency, Japan (IPA) has created the patch for AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector) for Tomcat 4.1.31. The patch is available at the links in the References.

[Updated on 2008/06/19]
Note that the old version of Coyote Connector is vulnerable to this issue.
Use the latest version of the supported connector.

Impact

A remote attacker could execute an illegal request using other users’ information or view other users’ information.

Solution

Update the Software
Update the product to the latest version according to the information provided by the vendor.

Products Affected

• Apache Tomcat 4.1.36 or prior version connected to a web server using the AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector)
• Apache Tomcat 4.1.29 or prior version, or 5.0.16 or prior version, connected to a web server using any Connector