Published:2008/10/10  Last Updated:2015/10/21

JVN#30732239
Apache Tomcat allows access from a non-permitted IP address

Overview

Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access.

Products Affected

  • Apache Tomcat 4.1.0 to 4.1.31
  • Apache Tomcat 5.5.0
According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
It is confirmed that Apache Tomcat 6.0.x is not affected.

Description

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context.

Impact

Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result.

Solution

Update the Software
Apply the latest updates provided by the developer.
The following versions contain a fix of this vulnerability.

  • Apache Tomcat 4.1.32 and later
  • Apache Tomcat 5.5.1 and later
For more information, refer to the developer's website.

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Vulnerable 2015/10/13
Hitachi Not Vulnerable 2009/06/14
NEC Corporation Vulnerable 2009/06/09
Vendor Link
The Apache Software Foundation Security Updates
ASF Bugzilla - Bug 25835

References

JPCERT/CC Addendum

This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.

Vulnerability Analysis by JPCERT/CC

Credit

Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA.
JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-3271
JVN iPedia JVNDB-2008-000069

Update History

2015/10/21
FUJITSU LIMITED update status