HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2008-12
Duplicate Request-Processing and Information Disclosure Vulnerabilities in Apache Tomcat

Original issue date: Februrary 15, 2008

Severity Rating: Medium

Systems Affected

•  Apache Tomcat versions 6.0.0 through 6.0.14
•  Apache Tomcat versions 6.0.5 through 6.0.15
•  Apache Tomcat versions 5.5.11 through 5.5.25
•  Apache Tomcat versions 5.5.0 through 5.5.25
•  Apache Tomcat 4.x

Overview

Multiple vulnerabilities have been reported in Apache Tomcat which could be exploited by remote attacker to disclose sensitive information or bypass security restrictions from the affected system.

Description

1.Cookie handling vulnerability in Apache Tomcat
(CVE-2007-5333)

A vulnerability has been reported in Apache Tomcat due to input validation error while handling double quote characters or %5C in a cookie value. This vulnerability could be exploited by an attacker to get the sensitive information such as session IDs by performing session hijacking attacks.

2.Duplicate request processing vulnerability in Apache Tomcat (CVE-2007-6286)

The APR (Apache Portable Runtime) is a highly portable library that is used by Apache Tomcat to provide superior scalability, performance, and better integration with native server technologies.

A vulnerability has been reported in native (APR based) connector while handling SSL requests. This vulnerability could be exploited by a remote attacker by connecting to the SSL port and then disconnecting without sending any data which cause tomcat to handle a duplicate copy of the recent requests.

3.Information disclosure vulnerability in Apache Tomcat
(CVE-2008-0002)

A vulnerability has been reported in Apache Tomcat due to improper handling of exceptions while request parameters are being processed. If such an exceptions occur then it is possible for remote attacker to disclose potentially sensitive information as the parameters submitted for that request will be incorrectly processed as part of a subsequent request.

Solution

Upgrade to latest versions provided by the vendor:
http://tomcat.apache.org/download-60.cgi
http://tomcat.apache.org/download-55.cgi
http://tomcat.apache.org/download-41.cgi

Patches for Tomcat 4.x are available via SVN :
http://tomcat.apache.org/svn.html

Vendor Information

Apache
http://tomcat.apache.org

References

FrSIRT
http://www.frsirt.com/english/advisories/2008/0488/products

Secunia
http://secunia.com/advisories/28878/

Apache Tomcat
 http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

Security-Focus
http://www.securityfocus.com/archive/1/487822/30/0/threaded
http://www.securityfocus.com/archive/1/archive/1/487812/
100/0/threaded

CVE-Name
CVE-2007-5333
CVE-2007-6286
CVE-2008-0002

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003