[SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass

2011-05-17T00:00:00
ID SECURITYVULNS:DOC:26374
Type securityvulns
Reporter Securityvulns
Modified 2011-05-17T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2011-1582 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: - - Tomcat 7.0.12-7.0.13 - - Earlier versions are not affected

Description: An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security constraints configured via annotations were ignored on the first request to a Servlet. Subsequent requests were secured correctly.

Mitigation: Users of affected versions should apply one of the following mitigations: - - Upgrade to a Tomcat 7.0.14 or later - - Define all security constraints in web.xml

Credit: This issue was identified by the Apache Tomcat security team.

References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN0m4vAAoJEBDAHFovYFnn5NkQAOBocyvRk9fTGX569Ga95yDJ vV84ZS3D1jCP3VQ1swh1Ouzd9NdP9pRGVWysTjz6N1bsZ+BMpGIyT/GpMqhfPAPx OzzbkM2cNow8MR/PG3rFbYjQH1r6D400zSu+drHDtTzrOY2uXS2ClL0UuxUg9LcN tUfidh9629OMVtuWqA2jwTSrc7fDdye5Ti1HZ0g5vUG5Cvab4LCcRdwh2VWT7g3T LKUTr6AZAz0mQ/7+QNJOOykX+FJcOL99Q46NLVZzeLPWFoEBZn/BRs8O9WehYnLV EEZtARSaUzTjssePo/O+oV4xYW5JIA1+5sKG7+xIvIaWKMbIPbdrPEPZusK/X0QR LjdLbMUGcGzDUVNP0hGzpArIDXcWmslJKJ3YFTCg3VdeamULh12bqxw3AtliAzI9 pSTcMcVNOMWZOUl/Czc2I3t5ehWaOGr5j3D7No8mEFMCcRoQoRTNS7hKqqqKsyY4 hTxMJV9dXox5mIuDY8hLaGY9KuUFIo2AXWnr7lqIBrKGrziVAySuIpKSnzuFvz2z q2DjPnXrFo/5W2ZVfUk0utCjyJX/NJdizKmW9PdQu4aT2BJdEgjjiW+qzPi20kZy HgySY8kEFbI8CyM6PqD6Yb5nzA/xR1YAYRQx1pWTrE5Y0B5MTctAaPCIJQoc3nIA GZ0Ziz0q/PX/x7ug1TnP =srIH -----END PGP SIGNATURE-----