JVN#66905322
Apache Tomcat information disclosure vulnerability
Overview
Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability.
Products Affected
- Apache Tomcat 4.1.32 to 4.1.34
- Apache Tomcat 5.5.10 to 5.5.20
Description
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may result in the disclosure of POSTed content from a previous request.
Impact
A remote attacker could possibly obtain user credentials such as password, session ID, user ID, etc.
Solution
Update the Software
Apply the latest udpate provided by the developer.
The following versions contain a fix of this vulnerability.
- Apache Tomcat 4.1.35 and later
- Apache Tomcat 5.5.21 and later
- Apache Tomcat 6.0.0 and later
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
BUFFALO INC. | Not Vulnerable | 2009/02/26 | |
FUJITSU LIMITED | Vulnerable | 2015/10/09 | |
Hitachi | Not Vulnerable | 2009/02/26 | |
NEC Corporation | Not Vulnerable, investigating | 2009/06/09 | |
Yokogawa Electric Corporation | Not Vulnerable, investigating | 2009/02/26 |
Vendor | Link |
The Apache Software Foundation | Security Updates |
ASF Bugzilla - Bug 40771 |
References
JPCERT/CC Addendum
This vulnerability was addressed and solved in ASF Bugzilla - Bug 40771. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 40771. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.
Vulnerability Analysis by JPCERT/CC
Analyzed on 2009.02.26
Measures | Conditions | Severity |
---|---|---|
Access Required | can be attacked over the Internet using packets |
|
Authentication | anonymous or no authentication (IP addresses do not count) |
|
User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
Exploit Complexity | expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise) |
|
Credit
Yuichiro Suzuki and Minehiko Iida of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA.
JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
Other Information
JPCERT Alert | |
JPCERT Reports | |
CERT Advisory | |
CPNI Advisory | |
TRnotes | |
CVE |
CVE-2008-4308 |
JVN iPedia |
JVNDB-2009-000010 |
Update History
- 2014/10/27
- FUJITSU LIMITED update status
- 2015/10/21
- FUJITSU LIMITED update status