Vulnerabilities in Apache Tomcat
The Apache Tomcat developers have released patches to fix three vulnerabilities in their implementations of the Java Servlet and JavaServer Pages technologies. When Tomcat receives a request with invalid headers via the Java AJP connector, it closes the connection without returning an error message. The vulnerability can be exploited by an attacker in load balancing environments to initiate a denial of service (DoS) attack.
In certain cases, due to insufficient error checking in some authentication classes, it may be possible for an attacker to confirm if a user name is valid through a brute force attack by using illegally encoded URLs. Attackers could use the vulnerability for further attacks to exploit the system.
Thirdly a cross site scripting vulnerability (XSS) in the calendar application, part of the examples web application, allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."
According to the reports, Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27 and Tomcat 4.1.0 to 4.1.39 are affected. Version 6.0.20 fixes the problems. Version 5.5.28 and 4.1.40 of Tomcat also reportedly fix the bugs, however, they have yet to be released. Alternatively, patches have been provided and are available to download.
- Apache Tomcat denial of service vulnerability, security advisory from Apache.
- Apache Tomcat User enumeration vulnerability with FORM authentication, security advisory from Apache.