The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: several vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Apache Tomcat in order to generate a denial of service or to obtain information.
Vulnerable systems: Tomcat, BES, Debian, Fedora, Performance Center, HP-UX, JBoss AS OpenSource, NSM Central Manager, NSMXpress, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity of this threat: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 04/06/2009.
Revisions dates: 09/06/2009, 10/06/2010.
Références of this weakness: 263529, 6848375, 6849727, BID-35193, BID-35196, BID-35263, BID-35416, c01908935, c02181353, c02515878, CERTA-2009-AVI-211, CERTA-2010-AVI-220, CERTA-2011-AVI-169, CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0783, DSA-2207-1, FEDORA-2009-11352, FEDORA-2009-11356, FEDORA-2009-11374, HPSBMA02535, HPSBUX02466, HPSBUX02579, KB25966, MDVSA-2009:136, MDVSA-2009:138, MDVSA-2009:163, MDVSA-2010:176, PSN-2012-05-584, RHSA-2009:1143-01, RHSA-2009:1144-01, RHSA-2009:1145-01, RHSA-2009:1146-01, RHSA-2009:1164-01, RHSA-2009:1454-01, RHSA-2009:1506-01, RHSA-2009:1562-01, RHSA-2009:1563-01, RHSA-2009:1616-01, RHSA-2009:1617-01, RHSA-2010:0602-02, SSRT090192, SSRT100029, SSRT100203, SUSE-SR:2009:012, SUSE-SR:2010:008, VIGILANCE-VUL-8762, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.

Description of the vulnerability 

Several vulnerabilities were announced in Apache Tomcat.

An attacker can use invalid headers in order to close the AJP connection. [severity:2/4; BID-35193, CVE-2009-0033]

When form authentication (j_security_check) is in mode MemoryRealm, DataSourceRealm or JDBCRealm, an attacker can use an invalid url encoding for the password. He can then detect if a username is valid. [severity:2/4; BID-35196, CVE-2009-0580]

A web application can change the XML parser, and thus access to the web.xml/context.xml file of another application. [severity:1/4; BID-35416, CVE-2009-0783]

The url path is unnecessary canonized in ApplicationHttpRequest.java. The url "http://s/dir1/dir2?/../" is for example converted to "http://s/dir1/". [severity:2/4; BID-35263, CERTA-2009-AVI-211, CERTA-2010-AVI-220, CVE-2008-5515]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as Tomcat, BES, Debian, Fedora, Performance Center, HP-UX, JBoss AS OpenSource, NSM Central Manager, NSMXpress, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.

Our Vigil@nce team determined that the severity of this threat note is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 4 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this computer weakness.

Solutions for this threat 

Apache Tomcat: version 6.0.20.
Version 6.0.20 is corrected:
  http://tomcat.apache.org/download-60.cgi

Apache Tomcat: version 5.5.28.
Version 5.5.28 is corrected:
  http://tomcat.apache.org/download-55.cgi

Apache Tomcat: version 4.1.40.
Version 4.1.40 is corrected:
  http://tomcat.apache.org/download-41.cgi

BlackBerry Enterprise Server: patch for Apache Tomcat.
A patch is available:
  http://www.blackberry.com/go/serverdownloads
  Interim Security Software Update 12/04/2011

Debian: new tomcat5.5 packages.
New packages are available:
  tomcat5.5 5.5.26-5lenny2

Fedora: new tomcat6 packages.
New packages are available:
  tomcat6-6.0.20-1.fc10
  tomcat6-6.0.20-1.fc11
  tomcat6-6.0.20-1.fc12

HP Performance Manager: patch.
A patch is available:
  https://www.hp.com/go/swa
  HP-UX (IA) : HPPM8CPI_00001
  HP-UX (PA) : HPPM8CPP_00001
  Linux : HPPM8CPL_00001
  Solaris : HPPM8CPS_00001
  Windows : HPPM8CPW_00001

HP-UX: Tomcat version B.5.5.27.03.
Tomcat-based Servlet Engine version B.5.5.27.03 is corrected.

HP-UX Web Server Suite: version 3.13.
The version HP-UX Web Server Suite 3.13 is corrected:
  http://software.hp.com/

Juniper NSM: version 2011.4.
The version 2011.4 is corrected.

Mandriva 2008.0: new tomcat5 packages.
New packages are available:
  tomcat5-5.5.23-9.2.10.3mdv2008.0

Mandriva ES5: new tomcat5 packages.
New packages are available:
Mandriva Enterprise Server 5:
  tomcat5-5.5.27-0.3.0.2mdvmes5

Mandriva: new tomcat5 packages.
New packages are available:
  Mandriva Linux 2009.0: tomcat5-5.5.27-0.3.0.1mdv2009.0
  Mandriva Linux 2009.1: tomcat5-5.5.27-0.3.0.1mdv2009.1

Red Hat Network Satellite Server 5.1: new tomcat5 packages.
New packages are available:
  tomcat5-5.0.30-0jpp_16rh

Red Hat Network Satellite Server 5.2 and 5.3: new tomcat5 packages.
New packages are available:
   tomcat5-5.5.23-0jpp_18rh

RHAS v2: new tomcat packages.
New packages are available:
Red Hat Application Server v2 - RHEL4 : tomcat5-5.5.23-0jpp_4rh.16

RHDS v3: new tomcat packages.
New packages are available:
Red Hat Developer Suite v.3 (AS v.4): tomcat5-5.5.23-0jpp_18rh

RHEL 4: new Red Hat Certificate System 7.3 packages.
New packages are available, as indicated in information sources.

RHEL 5: new tomcat packages (22/07/2009).
New packages are available:
  tomcat5-5.5.23-0jpp.7.el5_3.2

RHEL JBoss 4, 5: new tomcat5 packages.
New packages are available:
JBoss Enterprise Web Server 4AS-JBEWS-5.0.0:
  tomcat5-5.5.23-1.patch07.18.ep5.el4
JBoss Enterprise Web Server 5Server-JBEWS-5.0.0:
  tomcat5-5.5.23-0jpp.9.6.ep5.el5

RHEL JBoss: new tomcat6 packages.
New packages are available:
JBoss Enterprise Web Server 1.0.0 for RHEL 4 AS, for RHEL 4 ES:
tomcat6-6.0.18-11.3.ep5.el4
JBoss Enterprise Web Server 1.0.0 for RHEL 5 Server:
tomcat6-6.0.18-12.0.ep5.el5

RHEL: new JBoss packages.
New packages are available:
  JBoss Enterprise Application Platform 4.2.0.CP07
  JBoss Enterprise Application Platform 4.3.0.CP05

Solaris 10: patch for Oracle Java Web Console.
A patch is available:
  SPARC: 147673-04
  X86: 147674-04

Solaris: patch for Tomcat.
A patch is available:
  SPARC
    Solaris 9 : patch 114016-05
    Solaris 10 : patch 122911-17
    OpenSolaris : build snv_118
  x86
    Solaris 9 : patch 114017-05
    Solaris 10 : patch 122912-17
    OpenSolaris : build snv_118

SUSE: new packages (06/07/2009).
New packages are available, as indicated in information sources.

SUSE: new packages (07/04/2010).
New packages are available, as indicated in information sources.

VMware ESX, ESXi, VirtualCenter: solution.
Following version is corrected:
VirtualCenter 4.0 Update 1
  http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1
VMware Virtual Center 2.5 Update 6
  http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6
ESXi 4.0 Update 1
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-155-20091116-013169/ESXi-4.0.0-update01.zip
ESXi 3.5
  http://download3.vmware.com/software/vi/ESXe350-201002401-O-SG.zip
ESX 4.0 Update 1
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-158-20091118-187517/ESX-4.0.0-update01.zip
  known problems: http://kb.vmware.com/kb/1016070
ESX 3.5
  http://download3.vmware.com/software/vi/ESX350-201002407-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201002402-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201002404-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip
ESX 3.0.3
  http://download3.vmware.com/software/vi/ESX303-201002204-UG.zip
  http://download3.vmware.com/software/vi/ESX303-201002206-UG.zip
  http://download3.vmware.com/software/vi/ESX303-201002205-UG.zip
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities announce. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.