Fixed in Apache Tomcat 7.0.22

Important: Information disclosure CVE-2011-3375

For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries.

This was fixed in revision 1176592.

This was identified by the Tomcat security team on 22 September 2011 and made public on 17 January 2012.

Affects: 7.0.0-7.0.21

Low: Privilege Escalation CVE-2011-3376

This issue only affects environments running web applications that are not trusted (e.g. shared hosting environments). The Servlets that implement the functionality of the Manager application that ships with Apache Tomcat should only be available to Contexts (web applications) that are marked as privileged. However, this check was not being made. This allowed an untrusted web application to use the functionality of the Manager application. This could be used to obtain information on running web applications as well as deploying additional web applications.

This was fixed in revision 1176588.

This was identified by Ate Douma on 27 September 2011 and made public on 8 November 2011.

Affects: 7.0.0-7.0.21