[SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Update 2

2008-12-19T00:00:00
ID SECURITYVULNS:DOC:21057
Type securityvulns
Reporter Securityvulns
Modified 2008-12-19T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Update 2

Severity: Important

Vendor: Multiple (was The Apache Software Foundation)

Versions Affected: Various

Description (new information): This vulnerability was originally reported to the Apache Software Foundation as a Tomcat vulnerability. Investigations quickly identified that the root cause was an issue with the UTF-8 charset implementation within the JVM. The issue existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and Apache.

It was decided to continue to report this as a Tomcat vulnerability until such time as the JVM vendors had released fixed versions.

Unfortunately, the release of fixed JVMs and associated vulnerability disclosure has not been co-ordinated. There has been some confusion within the user community as to the nature and root cause of CVE-2008-2938. Therefore, the Apache Tomcat Security Team is issuing this update to clarify the situation.

Mitigation: Contact your JVM vendor for further information. Tomcat users may upgrade as follows to a Tomcat version that contains a workaround: 6.0.x users should upgrade to 6.0.18 5.5.x users should upgrade to 5.5.27 4.1.x users should upgrade to 4.1.39

Credit: This additional information was discovered by the Apache security team.

References: http://tomcat.apache.org/security.html

Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklKflkACgkQb7IeiTPGAkPEqwCg5WiCeyaGrUbP/PTIhqF8TGZt DcsAoJIx+NnKCCAk2JxGftVZbxxPrWGl =JALs -----END PGP SIGNATURE-----