Apache Tomcat
Download
Documentation
Problems?
Get Involved
Misc
|
Apache Tomcat 5.x vulnerabilities
|
This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 5.x. Each vulnerability is given a
security impact rating by the Apache
Tomcat security team - please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
is known to affect, and where a flaw has not been verified list the
version with a question mark.
Please send comments or corrections for these vulnerabilities to the
Tomcat Security Team.
Please note that Tomcat 5.0.x is no longer supported. Further
vulnerabilities in the 5.0.x branch will not be fixed. Users should
upgrade to 5.5.x or 6.x to obtain security fixes. Vulnerabilities fixed
in Tomcat 5.5.26 onwards have not been assessed to determine if they are
present in the 5.0.x branch.
|
|
Not fixed in Apache Tomcat 5.5.x
|
Note: It is expected that this issue will be fixed in 5.5.29 but the
patch has not yet received the necessary votes to be applied to the 5.5.x
code base.
Low: Insecure default password
CVE-2009-3548
The Windows installer defaults to a blank password for the administrative
user. If this is not changed during the install process, then by default
a user is created with the name admin, roles admin and manager and a
blank password.
Affects: 5.5.0-5.5.28
|
|
Fixed in Apache Tomcat 5.5.28
|
Important: Information Disclosure
CVE-2008-5515
When using a RequestDispatcher obtained from the Request, the target path
was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.
This was fixed in
revision 782757 and
revision 783291.
Affects: 5.5.0-5.5.27
Important: Denial of Service
CVE-2009-0033
If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
connection. In case this connector is member of a mod_jk load balancing
worker, this member will be put into an error state and will be blocked
from use for approximately one minute. Thus the behaviour can be used for
a denial of service attack using a carefully crafted request.
This was fixed in
revision 781362.
Affects: 5.5.0-5.5.27
low: Information disclosure
CVE-2009-0580
Due to insufficient error checking in some authentication classes, Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if FORM
based authentication (j_security_check) is used with the MemoryRealm.
Note that in early versions, the DataSourceRealm and JDBCRealm were also
affected.
This was fixed in
revision 781379.
Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
Realms)
low: Cross-site scripting
CVE-2009-0781
The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.
This was fixed in
revision 750928.
Affects: 5.5.0-5.5.27
low: Information disclosure
CVE-2009-0783
Bugs
29936 and
45933 allowed a web application to replace the XML parser used by
Tomcat to process web.xml, context.xml and tld files. In limited
circumstances these bugs may allow a rogue web application to view and/or
alter the web.xml, context.xml and tld files of other web applications
deployed on the Tomcat instance.
This was fixed in revisions
681156 and
781542.
Affects: 5.5.0-5.5.27
|
|
Fixed in Apache Tomcat 5.5.27
|
low: Cross-site scripting
CVE-2008-1232
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of
HTTP response. This may include characters that are illegal in HTTP
headers. It is possible for a specially crafted message to result in
arbitrary content being injected into the HTTP response. For a successful
XSS attack, unfiltered user supplied data must be included in the message
argument.
This was fixed in
revision 680947.
Affects: 5.5.0-5.5.26
low: Cross-site scripting
CVE-2008-1947
The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application
now filters the data before use. This issue may be mitigated by logging
out (closing the browser) of the application once the management tasks
have been completed.
This was fixed in
revision 662583.
Affects: 5.5.9-5.5.26
important: Information disclosure
CVE-2008-2370
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.
This was fixed in
revision 680949.
Affects: 5.5.0-5.5.26
|
|
Fixed in Apache Tomcat 5.5.26
|
low: Session hi-jacking
CVE-2007-5333
The previous fix for
CVE-2007-3385 was incomplete. It did not consider the use of quotes
or %5C within a cookie value.
Affects: 5.5.0-5.5.25
low: Elevated privileges
CVE-2007-5342
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict
this configuration and allows an untrusted web application to add files
or overwrite existing files where the Tomcat process has the necessary
file permissions to do so.
Affects: 5.5.9-5.5.25
important: Information disclosure
CVE-2007-5461
When Tomcat's WebDAV servlet is configured for use with a context and
has been enabled for write, some WebDAV requests that specify an entity
with a SYSTEM tag can result in the contents of arbitary files being
returned to the client.
Affects: 5.5.0-5.5.25
important: Data integrity
CVE-2007-6286
When using the native (APR based) connector, connecting to the SSL port
using netcat and then disconnecting without sending any data will cause
tomcat to handle a duplicate copy of one of the recent requests.
Affects: 5.5.11-5.5.25
|
|
Fixed in Apache Tomcat 5.5.25, 5.0.SVN
|
low: Cross-site scripting
CVE-2007-2449
JSPs within the examples web application did not escape user provided
data before including it in the output. This enabled a XSS attack. These
JSPs now filter the data before use. This issue may be mitigated by
undeploying the examples web application. Note that it is recommended
that the examples web application is not installed on a production
system.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Cross-site scripting
CVE-2007-2450
The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
attack. These applications now filter the data before use. This issue may
be mitigated by logging out (closing the browser) of the application once
the management tasks have been completed.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Session hi-jacking
CVE-2007-3382
Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Session hi-jacking
CVE-2007-3385
Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
session ID to an attacker.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Cross-site scripting
CVE-2007-3386
The Host Manager Servlet did not filter user supplied data before
display. This enabled an XSS attack.
Affects: 5.5.0-5.5.24
|
|
Fixed in Apache Tomcat 5.5.24, 5.0.SVN
|
moderate: Cross-site scripting
CVE-2007-1355
The JSP and Servlet included in the sample application within the Tomcat
documentation webapp did not escape user provided data before including
it in the output. This enabled a XSS attack. These pages have been
simplified not to use any user provided data in the output.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.23
|
|
Fixed in Apache Tomcat 5.5.23, 5.0.SVN
|
important: Information disclosure
CVE-2005-2090
Requests with multiple content-length headers should be rejected as
invalid. When multiple components (firewalls, caches, proxies and Tomcat)
process a sequence of requests where one or more requests contain
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length leader to use an attacker can poision a web-cache, perform
an XSS attack and obtain senstive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.22
|
|
Fixed in Apache Tomcat 5.5.22, 5.0.SVN
|
important: Directory traversal
CVE-2007-0450
The fix for this issue was insufficient. A fix was also required in the
JK connector module for httpd. See
CVE-2007-1860 for further information.
Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with
mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request
containing strings like "/\../" may allow attackers to work around the context
restriction of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide
additional control of the handling of path delimiters in URLs (both options
default to false):
-
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH : true|false
-
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH : true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as
they are in proxy servers, Tomcat should always be secured as if no proxy
restricting context access was used.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.21
|
|
Fixed in Apache Tomcat 5.5.21, 5.0.SVN
|
low: Cross-site scripting
CVE-2007-1358
Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
Flash files to make requests with such custom headers. Tomcat now ignores
invalid values for Accept-Language headers that do not conform to RFC
2616.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.20
|
|
Fixed in Apache Tomcat 5.5.21
|
moderate: Session hi-jacking
CVE-2008-0128
When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
transmitted without the "secure" attribute, resulting in it being
transmitted to any content that is - by purpose or error - requested via
http from the same server.
Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20
low: Information disclosure
CVE-2008-4308
Bug
40771 may result in the disclosure of POSTed content from a previous
request. For a vulnerability to exist, the content read from the input
stream must be disclosed, eg via writing it to the response and committing
the response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.
Affects: 5.5.10-5.5.20 (5.0.x unknown)
|
|
Fixed in Apache Tomcat 5.5.18, 5.0.SVN
|
moderate: Cross-site scripting
CVE-2006-7195
The implicit-objects.jsp in the examples webapp displayed a number of
unfiltered header values. This enabled a XSS attack. These values are now
filtered.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.17
|
|
Fixed in Apache Tomcat 5.5.17, 5.0.SVN
|
important: Information disclosure
CVE-2007-1858
The default SSL configuration permitted the use of insecure cipher suites
including the anonymous cipher suite. The default configuration no
longer permits the use of insecure cipher suites.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.16
|
|
Fixed in Apache Tomcat 5.5.16, 5.0.SVN
|
low: Cross-site scripting
CVE-2006-7196
The calendar application included as part of the JSP examples is
susceptible to a cross-site scripting attack as it does not escape
user provided data before including it in the returned page.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.15
|
|
Fixed in Apache Tomcat 5.5.13, 5.0.SVN
|
low: Directory listing
CVE-2006-3835
This is expected behaviour when directory listings are enabled. The
semicolon (;) is the separator for path parameters so inserting one
before a file name changes the request into a request for a directory
with a path parameter. If directory listings are enabled, a directory
listing will be shown. In response to this and other directory listing
issues, directory listings were changed to be disabled by default.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.12
important: Denial of service
CVE-2005-3510
The root cause is the relatively expensive calls required to generate
the content for the directory listings. If directory listings are
enabled, the number of files in each directory should be kepp to a
minimum. In response to this issue, directory listings were changed to
be disabled by default. Additionally, a
patch has been proposed that would improve performance, particularly
for large directories, by caching directory listings.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.12
|
|
Fixed in Apache Tomcat 5.5.7, 5.0.SVN
|
low: Cross-site scripting
CVE-2005-4838
Various JSPs included as part of the JSP examples and the Tomcat Manager
are susceptible to a cross-site scripting attack as they do not escape
user provided data before including it in the returned page.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.6
|
|
Fixed in Apache Tomcat 5.5.1
|
low: Information disclosure
CVE-2008-3271
Bug 25835 can, in rare circumstances - this has only been reproduced
using a debugger to force a particular processing sequence for two threads -
allow a user from a non-permitted IP address to gain access to a context
that is protected with a valve that extends RequestFilterValve. This includes
the standard RemoteAddrValve and RemoteHostValve implementations.
Affects: 5.5.0 (5.0.x unknown)
|
|
Not a vulnerability in Tomcat
|
JavaMail information disclosure
CVE-2005-1754
The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.
JavaMail information disclosure
CVE-2005-1753
The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.
important: Directory traversal
CVE-2008-2938
Originally reported as a Tomcat vulnerability the root cause of this
issue is that the JVM does not correctly decode UTF-8 encoded URLs to
UTF-8. This exposes a directory traversal vulnerability when the
connector uses URIEncoding="UTF-8" . This directory traversal
is limited to the docBase of the web application.
If a context is configured with allowLinking="true" then the
directory traversal vulnerability is extended to the entire file system
of the host server.
It should also be noted that setting
useBodyEncodingForURI="true" has the same effect as setting
URIEncoding="UTF-8" when processing requests with bodies
encoded with UTF-8.
Although the root cause was quickly identified as a JVM issue and that it
affected multiple JVMs from multiple vendors, it was decided to report
this as a Tomcat vulnerability until such time as the JVM vendors
provided updates to resolve this issue. For further information on the
status of this issue for your JVM, contact your JVM vendor.
A workaround was implemented in
revision 681029 that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 5.5.27 onwards.
|
|
|