Lucene search

K
jvnJapan Vulnerability NotesJVN:79314822
HistorySep 30, 2005 - 12:00 a.m.

JVN#79314822: Tomcat vulnerable in request processing

2005-09-3000:00:00
Japan Vulnerability Notes
jvn.jp
12

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.8%

Apache Tomcat, an implementation of the Java Servlet and JavaServer Pages technologies, contains a vulnerability in processing specific requests.

The Apache Software Foundation currently does not support AJP 1.3 Connector, and recommends the use of Coyote JK Connector instead. It also recommends users to upgrade from Tomcat 4.x to Tomcat 5.x.

To avoid this vulnerability, use the connectors other than AJP 1.3 Connector when connecting Apache Tomcat to a web server. Apache Tomcat supports Coyote JK Connector and Coyote HTTP/1.1 Connector.

The Information-technology Promotion Agency, Japan (IPA) has created the patch for AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector) for Tomcat 4.1.31. The patch is available at the links in the References.

[Updated on 2008/06/19]
Note that the old version of Coyote Connector is vulnerable to this issue.
Use the latest version of the supported connector.

Impact

A remote attacker could execute an illegal request using other users’ information or view other users’ information.

Solution

Update the Software
Update the product to the latest version according to the information provided by the vendor.

Products Affected

  • Apache Tomcat 4.1.36 or prior version connected to a web server using the AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector)
  • Apache Tomcat 4.1.29 or prior version, or 5.0.16 or prior version, connected to a web server using any Connector

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.8%