Apache Tomcat

• Apache Tomcat APR/native Connector vulnerabilities
• Not a vulnerability in the Apache Tomcat APR/native Connector

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat APR/native Connector. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat APR/native Connectors the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

TLS SSL Man In The Middle CVE-2009-3555

A vulnerability exists in the TLS protocol that allows an attacker to inject arbitrary requests into an TLS stream during renegotiation.

The TLS implementation used by Tomcat varies with connector. The APR/native connector uses OpenSSL.

The APR/native connector is vulnerable if the OpenSSL version used is vulnerable. Note: Building with OpenSSL 0.9.8l will disable all renegotiation and protect against this vulnerability.

From 1.1.18 onwards, client initiated renegotiations are rejected to provide partial protection against this vulnerability with any OpenSSL version.

Users should be aware that the impact of disabling renegotiation will vary with both application and client. In some circumstances disabling renegotiation may result in some clients being unable to access the application.