Apache Tomcat

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat Jk Connectors. Each vulnerability is given a security impact rating by the Apache Tomcat security team - please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat JK Connectors the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

important: Information disclosure CVE-2008-5519

Situations where faulty clients set Content-Length without providing data, or where a user submits repeated requests very quickly, may permit one user to view the response associated with a different user's request.

This was fixed in revision 702540.

Affects: JK 1.2.0-1.2.26
Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30, 5.5.0-5.5.27

important: Information disclosure CVE-2007-1860

The issue is related to CVE-2007-0450, the patch for which was insufficient.

When multiple components (firewalls, caches, proxies and Tomcat) process a request, the request URL should not get decoded multiple times in an iterative way by these components. Otherwise it might be possible to pass access control rules implemented on front of the last component by applying multiple URL encoding to the request.

mod_jk before version 1.2.23 by default decoded request URLs inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. This made it possible to pass a prefix JkMount for /someapp, but actually access /otherapp on Tomcat. Starting with version 1.2.23 by default mod_jk forwards the original unchanged request URL to Tomcat. You can achieve the same level of security for older versions by setting the forwarding option "JkOption ForwardURICompatUnparsed".

Please note, that your configuration might contain a different forwarding JkOption. In this case, please consult the forwarding documentation concerning the security implications. The new default setting is more secure than before, but it breaks interoperability with mod_rewrite.

Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)
Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30, 5.5.0-5.5.23

critical: Arbitrary code execution and denial of service CVE-2007-0774

An unsafe memory copy in the URI handler for the native JK connector could result in a stack overflow condition which could be leveraged to execute arbitrary code or crash the web server.

Affects: JK 1.2.19-1.2.20
Source shipped with: Tomcat 4.1.34, 5.5.20

important: Information disclosure CVE-2006-7197

The Tomcat AJP connector contained a bug that sometimes set a too long length for the chunks delivered by send_body_chunks AJP messages. Bugs of this type can cause mod_jk to read beyond buffer boundaries and thus reveal sensitive memory information to a client.

Affects: JK 1.2.0-1.2.15
Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30, 5.5.0-5.5.16