HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-28
Apache Tomcat Information Disclosure Vulnerability

Original Issue Date:March 04, 2009

Severity Rating: Low

Systems Affected

  • Apache Tomcat 4.1.32 to 4.1.34
  • Apache Tomcat 5.5.10 to 5.5.20

Overview

An Information Disclosure vulnerability has been identified in Apache Tomcat which could allow remote attackers to disclose sensitive information.

Description

 This vulnerability is caused due to improper handling of certain error conditions in ‘doRead' method of Apache Tomcat. This can be exploited by remote attackers to disclose the contents of previous POST requests.

Solutions

For Apache Tomcat 4.x upgrade to version 4.1.35 or later
For Apache Tomcat 5.x upgrade to version 5.5.21 or later
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html

Vendor Information

Apache Software Foundation
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html

References

 Apache Software Foundation Bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=40771

JPCERT/CC JVN
http://jvn.jp/en/jp/JVN66905322/index.html

Secunia
http://secunia.com/advisories/34057

SecurityFocus
http://www.securityfocus.com/archive/1/501250

VUPEN
http://www.vupen.com/english/advisories/2009/0541

CVE Name
CVE-2008-4308

CWE Name
CWE-200

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003