JVN#30732239
Apache Tomcat allows access from a non-permitted IP address
Overview
Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access.
Products Affected
- Apache Tomcat 4.1.0 to 4.1.31
- Apache Tomcat 5.5.0
It is confirmed that Apache Tomcat 6.0.x is not affected.
Description
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context.
Impact
Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result.
Solution
Update the Software
Apply the latest updates provided by the developer.
The following versions contain a fix of this vulnerability.
- Apache Tomcat 4.1.32 and later
- Apache Tomcat 5.5.1 and later
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FUJITSU LIMITED | Vulnerable | 2015/10/13 | |
| Hitachi | Not Vulnerable | 2009/06/14 | |
| NEC Corporation | Vulnerable | 2009/06/09 |
| Vendor | Link |
| The Apache Software Foundation | Security Updates |
| ASF Bugzilla - Bug 25835 |
References
JPCERT/CC Addendum
This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.
Vulnerability Analysis by JPCERT/CC
Credit
Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA.
JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2008-3271 |
| JVN iPedia |
JVNDB-2008-000069 |
Update History
- 2015/10/21
- FUJITSU LIMITED update status