Lucene search

K
tomcatApache TomcatTOMCAT:4C0559742ED28D4905A11CC802782CFE
HistoryJan 31, 2014 - 12:00 a.m.

Fixed in Apache Tomcat 6.0.39

2014-01-3100:00:00
Apache Tomcat
tomcat.apache.org
14

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.972 High

EPSS

Percentile

99.8%

Note: The issues below were fixed in Apache Tomcat 6.0.38 but the release vote for 6.0.38 did not pass. Therefore, although users must download 6.0.39 to obtain a version that includes the fixes for these issues, version 6.0.38 is not included in the list of affected versions.

Low: Frame injection in documentation Javadoc CVE-2013-1571

Tomcat 6 is built with Java 5 which is known to generate Javadoc with a frame injection vulnerability.

The published Javadoc on the Apache Tomcat website was fixed the day this issue was announced. The Javadoc generation for releases was fixed in revision 1557724.

This issue was published by Oracle on 18 June 2013.

Affects: 6.0.0-6.0.37

Important: Information disclosure CVE-2013-4286

The fix for CVE-2005-2090 was not complete. It did not cover the following cases:

  • content-length header with chunked encoding over any HTTP connector
  • multiple content-length headers over any AJP connector

Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used.

This was fixed in revision 1552565.

This issue was identified by the Apache Tomcat security team on 15 August 2013 and made public on 25 February 2014.

Affects: 6.0.0 to 6.0.37

Important: Denial of service CVE-2013-4322

The fix for CVE-2012-3544 was not complete. It did not cover the following cases:

  • chunk extensions were not limited
  • whitespace after the : in a trailing header was not limited

This was fixed in revision 1556540.

The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS Security Labs on 5 November 2013. It was made public on 25 February 2014.

Affects: 6.0.0 to 6.0.37

Low: Information disclosure CVE-2013-4590

Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.

This was fixed in revision 1558828.

This issue was identified by the Apache Tomcat security team on 29 October 2013 and made public on 25 February 2014.

Affects: 6.0.0 to 6.0.37

Low: Session fixation CVE-2014-0033

Previous fixes to path parameter handling (1149220) introduced a regression that meant session IDs provided in the URL were considered even when disableURLRewriting was configured to true. Note that the session is only used for that single request.

This was fixed in revision 1558822.

This issue was identified by the Apache Tomcat security team on 1 December 2013 and made public on 25 February 2014.

Affects: 6.0.33 to 6.0.37

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.972 High

EPSS

Percentile

99.8%