In association with heise online

04 June 2009, 16:15

Vulnerabilities in Apache Tomcat

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Apache Tomcat developers have released patches to fix three vulnerabilities in their implementations of the Java Servlet and JavaServer Pages technologies. When Tomcat receives a request with invalid headers via the Java AJP connector, it closes the connection without returning an error message. The vulnerability can be exploited by an attacker in load balancing environments to initiate a denial of service (DoS) attack.

In certain cases, due to insufficient error checking in some authentication classes, it may be possible for an attacker to confirm if a user name is valid through a brute force attack by using illegally encoded URLs. Attackers could use the vulnerability for further attacks to exploit the system.

Thirdly a cross site scripting vulnerability (XSS) in the calendar application, part of the examples web application, allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."

According to the reports, Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27 and Tomcat 4.1.0 to 4.1.39 are affected. Version 6.0.20 fixes the problems. Version 5.5.28 and 4.1.40 of Tomcat also reportedly fix the bugs, however, they have yet to be released. Alternatively, patches have been provided and are available to download.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit