In association with heise online

20 August 2008, 11:33

US-CERT warns of Tomcat vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The US-CERT warns of a directory traversal issue in Apache Tomcat which could allow access to arbitrary files on the server. The Apache Foundation have released updates to address this vulnerability. Apache Tomcat is a Java web server, designed for hosting Java servlets and Java Server Pages.

The recently released 6.0.18 addresses the directory traversal issue, whilst also fixing other vulnerabilities including two cross-site scripting flaws and an information disclosure issue.

The developers explained that if a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF8" then a malformed request may give access to arbitrary files on the server.

The directory traversal problem affects Tomcat 4.1, 5 and 6. Users of Tomcat 4.1.0 to 4.1.37 should upgrade to 4.1.38. Tomcat 5.5.0 to 5.5.26 users should move to 5.5.27 and Tomcat 6.0.0 to 6.0.16 users should update to 6.0.18.

The US-CERT says that it is aware of publicly available exploit code for the vulnerability.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit