Published:2009/02/26  Last Updated:2015/10/21

JVN#66905322
Apache Tomcat information disclosure vulnerability

Overview

Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability.

Products Affected

  • Apache Tomcat 4.1.32 to 4.1.34
  • Apache Tomcat 5.5.10 to 5.5.20
According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. They have confirmed that Apache Tomcat 6.0.x is not affected.

Description

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may result in the disclosure of POSTed content from a previous request.

Impact

A remote attacker could possibly obtain user credentials such as password, session ID, user ID, etc.

Solution

Update the Software
Apply the latest udpate provided by the developer.
The following versions contain a fix of this vulnerability.

  • Apache Tomcat 4.1.35 and later
  • Apache Tomcat 5.5.21 and later
  • Apache Tomcat 6.0.0 and later
For more information, refer to the developer's website.

Vendor Status

Vendor Status Last Update Vendor Notes
BUFFALO INC. Not Vulnerable 2009/02/26
FUJITSU LIMITED Vulnerable 2015/10/09
Hitachi Not Vulnerable 2009/02/26
NEC Corporation Not Vulnerable, investigating 2009/06/09
Yokogawa Electric Corporation Not Vulnerable, investigating 2009/02/26
Vendor Link
The Apache Software Foundation Security Updates
ASF Bugzilla - Bug 40771

References

JPCERT/CC Addendum

This vulnerability was addressed and solved in ASF Bugzilla - Bug 40771. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 40771. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.02.26

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise)
  • Low-Mid

Description of each analysis measures

Credit

Yuichiro Suzuki and Minehiko Iida of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA.
JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-4308
JVN iPedia JVNDB-2009-000010

Update History

2014/10/27
FUJITSU LIMITED update status
2015/10/21
FUJITSU LIMITED update status