-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2011-2526: Apache Tomcat Information disclosure and availability vulnerabilities Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.18 Tomcat 6.0.0 to 6.0.32 Tomcat 5.5.0 to 5.0.33 Previous, unsupported versions may be affected Additionally, these vulnerabilities only occur when all of the following are true: a) untrusted web applications are being used b) the SecurityManager is used to limit the untrusted web applications c) the HTTP NIO or HTTP APR connector is used d) sendfile is enabled for the connector (this is the default) Description: Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated. When running under a security manager, this lack of validation allowed a malicious web application to do one or more of the following that would normally be prevented by a security manager: a) return files to users that the security manager should make inaccessible b) terminate (via a crash) the JVM Mitigation: Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions: a) undeploy untrusted web applications b) switch to the HTTP BIO connector (which does not support sendfile) c) disable sendfile be setting useSendfile="false" on the connector d) apply the patch(es) listed on the Tomcat security pages (see references) e) upgrade to a version where the vulnerabilities have been fixed Tomcat 7.0.x users may upgrade to 7.0.19 or later once released Tomcat 6.0.x users may upgrade to 6.0.33 or later once released Tomcat 5.5.x users may upgrade to 5.5.34 or later once released Example: Exposing the first 1000 bytes of /etc/passwd HttpServletRequest.setAttribute( "org.apache.tomcat.sendfile.filename","/etc/passwd"); HttpServletRequest.setAttribute( "org.apache.tomcat.sendfile.start",Long.valueOf(0)); HttpServletRequest.setAttribute( "org.apache.tomcat.sendfile.end",Long.valueOf(1000)); Specifying a end point after the end of the file will trigger a JVM crash with the HTTP APR connector and an infinite loop with the HTTP NIO connector. Credit: These issues were identified by the Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html The Apache Tomcat Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOHbrCAAoJEBDAHFovYFnnUZsQANIh02dK4r0cYCwsD59Xvg0R cCpx0MCzsrVBKU/fJ5nQtVTtZnOVfH2PnZBPFlYxQXpBCgIQh+ZIp9ntGdSNP0kH e7XgHaG6NipfIPusnQyH8yYmcfRl4BDnQdHyrl1JqApDtqnzPJ4Re9SVQC5VymJP i9DlvuV4atAdSCgOZzBb3+wMV0uoZqjXcUZrQEXCYBhtGFtOQM/JyMUa7iu5+FhI AuUchlHw3N+nZ+b4QeXGdFowHMTlJoj0gv5eMCEMVfiaoM5COcaQYBRQxkbNhkfN 7zkcKKyDG2ARIJ7WB3Ncj7A4RfF2KY98q69px6RU2ho8umOycl32dw3wT1AtPWUx 3TkTgkN4FXDprCLp1r/csbYO15GSoI0selWzKxmOOuMIIamQ36HreUInZzXohuOJ VSdR/LBekdfiLNkNtIwK7oeaZoYqPT14F15C+gkzw8a7ETzN6kyYwZz2+dnnWvxM lV5WhEksulVfrfro6OBFI4k4KVyCq/QYRUH2WfyaRyUhRB8of6tnweB46upzzoAU +YtyLPimURofJbcw4Ut4VBvjVJTdts3air32vCKxpfnjdn9Gd3GH3phjrsYzJHTl fg3RcqrmV9I0gxLn5oWIMx17gOGpFOgSwMyGgm/WEJLyiEV5suSPFVjMFq3znj+7 zAlePYK10YSe5XiZ9g8F =MeHU -----END PGP SIGNATURE-----