From: ma...@apache.org Subject: Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability Date: Thu, 05 Mar 2009 12:45:10 +0100
> nambo.k...@oss.ntt.co.jp wrote: > > Hi, Mark. > > > >> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > > I checked Tomcat 5.0.x source code and I've found that > > org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included. > > Does this mean Tomcat 5.0.x is not affected by this vulnerability? > > I would assume so but haven't confirmed this as 5.0.x is unsupported. OK, I understand. BTW I've found a typo in the security reports. http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html low: Information disclosure CVE-2008-4308 Bug 40711 may result in the disclosure of POSTed ..... 40711 -> 40771. Best regards, Kazu Nambo > > Mark > > > > > Advice, please. > > Kazu Nambo > > > > > > From: ma...@apache.org > > Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure > > vulnerability > > Date: Wed, 25 Feb 2009 23:17:37 +0000 > > > > CVE-2008-4308: Tomcat information disclosure vulnerability > > > > Severity: Low > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > Tomcat 4.1.32 to 4.1.34 > > Tomcat 5.5.10 to 5.5.20 > > Tomcat 6.0.x is not affected > > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > > > > Note: Although this vulnerability affects relatively old versions of > > Apache Tomcat, it was only discovered and reported to the Apache Tomcat > > Security team in October 2008. Publication of this issue was then > > postponed until now at the request of the reporter. > > > > Description: > > Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may > > result in the disclosure of POSTed content from a previous request. For > > a vulnerability to exist the content read from the input stream must be > > disclosed, eg via writing it to the response and committing the > > response, before the ArrayIndexOutOfBoundsException occurs which will > > halt processing of the request. > > > > Mitigation: > > Upgrade to: > > 4.1.35 or later > > 5.5.21 or later > > 6.0.0 or later > > > > Example: > > See original bug report for example of how to create the error condition. > > > > Credit: > > This issue was discovered by Fujitsu and reported to the Tomcat Security > > Team via JPCERT. > > > > References: > > http://tomcat.apache.org/security.html > > > > Mark Thomas > >> > >> > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
