Published:2009/06/09  Last Updated:2016/11/02

JVN#63832775
Apache Tomcat information disclosure vulnerability

Overview

Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability.

Products Affected

  • Apache Tomcat 4.1.0 to 4.1.39
  • Apache Tomcat 5.5.0 to 5.5.27
  • Apache Tomcat 6.0.0 to 6.0.18
According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
For more information, refer to the developer's website.

Description

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may allow information disclosure or access to the contents contained in the WEB-INF directory.

Impact

A remote attacker could possibly obtain information such as configuration or user credentials contained in the application which resides under the WEB-INF directory.

Solution

Update the Software

Update to Apache Tomcat 6.0.20 according to the information provided by the developer.

For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving the vulnerability. Users of Apache Tomcat 5.5.x and 4.1.x should obtain the latest source code from svn, or update to Apache Tomcat 5.5.28 and 4.1.40 once they are released.

For more information, refer to the developer's website.

Vendor Status

Vendor Status Last Update Vendor Notes
BUFFALO INC. Not Vulnerable 2009/06/09
FUJITSU LIMITED Vulnerable 2015/10/09
Hitachi Not Vulnerable 2009/06/09
NEC Corporation Vulnerable 2016/11/01
Vendor Link
Apache Tomcat Security Updates
Apache Tomcat 4.x vulnerabilities(CVE-2008-5515)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.06.09

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

Minehiko Iida and Yuichiro Suzuki of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-5515
JVN iPedia JVNDB-2009-000036

Update History

2015/10/21
FUJITSU LIMITED update status
2016/11/02
NEC Corporation update status