CERT-In Vulnerability Note CIVN-2009-56
Apache Tomcat mod_jk Content Length Information Disclosure Vulnerability

Original Issue Date:April 17, 2009

Severity Rating: Medium

Systems Affected

• Apache Tomcat 4.x
• Apache Tomcat 5.x
• Apache Tomcat mod_jk 1.2.0 through 1.2.26

Overview

A vulnerability has been reported in Apache Tomcat mod_jk, which could allow remote attackers to disclose sensitive information.

Description

mod_jk is a Tomcat-Apache plug-in that handles the communication between Tomcat and Apache.

This vulnerability is caused due to an error when handling empty POST requests with a non-zero "Content-Length" header in Apache Tomcat mod_jk. A remote attacker could exploit this vulnerability to disclose response data associated with the request of a different user by sending a quick series of requests with specially crafted Content-Length value but without any data.

Successful exploitation of this vulnerability could allow a remote attacker to potentially view responses for a different user's request.

Solution

Vendor Information

Apache Software Foundation
http://mail-archives.apache.org/mod_m...box/%3C49DBBAC0
.2080400@apache.org%3E
http://tomcat.apache.org/security-jk.html

References

Apache Software Foundation
http://mail-archives.apache.org/mod_m...box/%3C49DBBAC0
.2080400@apache.org%3E
http://tomcat.apache.org/security-jk.html
http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html

Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=490201

Secunia
http://secunia.com/advisories/34621

SecurityFocus
http://www.securityfocus.com/bid/34412/info

SecurityTracker
http://securitytracker.com/alerts/2009/Apr/1022001.html

CVE Name
CVE-2008-5519

CWE Name
CWE-200

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003