Published:2005/09/30  Last Updated:2015/10/21

JVN#79314822
Tomcat vulnerable in request processing

Overview

Apache Tomcat, an implementation of the Java Servlet and JavaServer Pages technologies, contains a vulnerability in processing specific requests.

Products Affected

  • Apache Tomcat 4.1.36 or prior version connected to a web server using the AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector)
  • Apache Tomcat 4.1.29 or prior version, or 5.0.16 or prior version, connected to a web server using any Connector

Description

Apache Tomcat, an implementation of the Java Servlet and JavaServer Pages technologies, contains a vulnerability in processing specific requests.

The Apache Software Foundation currently does not support AJP 1.3 Connector, and recommends the use of Coyote JK Connector instead. It also recommends users to upgrade from Tomcat 4.x to Tomcat 5.x.

To avoid this vulnerability, use the connectors other than AJP 1.3 Connector when connecting Apache Tomcat to a web server. Apache Tomcat supports Coyote JK Connector and Coyote HTTP/1.1 Connector.

The Information-technology Promotion Agency, Japan (IPA) has created the patch for AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector) for Tomcat 4.1.31. The patch is available at the links in the References.

[Updated on 2008/06/19]
Note that the old version of Coyote Connector is vulnerable to this issue.
Use the latest version of the supported connector.

Impact

A remote attacker could execute an illegal request using other users' information or view other users' information.

Solution

Update the Software
Update the product to the latest version according to the information provided by the vendor.

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Vulnerable 2015/10/13
nec Vulnerable 2006/06/27

References

  1. IPA
    Vulnerability in Apache Tomcat AJP 1.3 Connector could Allow Retrieving Residual Information

JPCERT/CC Addendum

When first published, the following information was described under the section "Products Affected"

  • Apache Tomcat 4.1.31 and earlier connected to a web server using the AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector)
Later it turned out that the Coyote Connector has been fixed in Tomcat 4.1.30 / 5.0.18, and we revised "Products Affected" section.

Vulnerability Analysis by JPCERT/CC

Credit

HIRT (Hitachi Incident Response Team) reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2005-3164
JVN iPedia JVNDB-2005-000804

Update History

2015/10/13
FUJITSU LIMITED update status
2015/10/21
FUJITSU LIMITED update status