[gentoo-announce] [ GLSA 200804-10 ] Tomcat: Multiple vulnerabilities

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 200804-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: Tomcat: Multiple vulnerabilities

Date: April 10, 2008

Bugs: #196066, #203169

ID: 200804-10

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Multiple vulnerabilities in Tomcat may lead to local file overwriting,

session hijacking or information disclosure.

 

Background

==========

 

Tomcat is the Apache Jakarta Project's official implementation of Java

Servlets and Java Server Pages.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 www-servers/tomcat < 6.0.16 *>= 5.5.26

>= 6.0.16

 

Description

===========

 

The following vulnerabilities were reported:

 

* Delian Krustev discovered that the JULI logging component does not

properly enforce access restrictions, allowing web application to add

or overwrite files (CVE-2007-5342).

 

* When the native APR connector is used, Tomcat does not properly

handle an empty request to the SSL port, which allows remote

attackers to trigger handling of a duplicate copy of one of the

recent requests (CVE-2007-6286).

 

* If the processing or parameters is interrupted, i.e. by an

exception, then it is possible for the parameters to be processed as

part of later request (CVE-2008-0002).

 

* An absolute path traversal vulnerability exists due to the way that

WebDAV write requests are handled (CVE-2007-5461).

 

* Tomcat does not properly handle double quote (") characters or %5C

(encoded backslash) sequences in a cookie value, which might cause

sensitive information such as session IDs to be leaked to remote

attackers and enable session hijacking attacks (CVE-2007-5333).

 

Impact

======

 

These vulnerabilities can be exploited by:

 

* a malicious web application to add or overwrite files with the

permissions of the user running Tomcat.

 

* a remote attacker to conduct session hijacking or disclose

sensitive data.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All Tomcat 5.5.x users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=www-servers/tomcat-5.5.26"

 

All Tomcat 6.0.x users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.16"

 

References

==========

 

[ 1 ] CVE-2007-5333

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333

[ 2 ] CVE-2007-5342

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342

[ 3 ] CVE-2007-5461

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461

[ 4 ] CVE-2007-6286

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286

[ 5 ] CVE-2008-0002

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

http://security.gentoo.org/glsa/glsa-200804-10.xml

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

http://bugs.gentoo.org.

 

License

=======

 

Copyright 2008 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.7 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 

iD8DBQFH/nmcuhJ+ozIKI5gRAk+nAJ9SMo2Jk36Rr/PlKrcTZKdN6FRMRACfRiMb

7XB1ijwAgFlz/AFeRTg8IME=

=UKUb

-----END PGP SIGNATURE-----

--