Content
Apache Tomcat 5.x vulnerabilities
This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 5.x. Each vulnerability is given a
security impact rating by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
is known to affect, and where a flaw has not been verified list the
version with a question mark.
Note: Vulnerabilities that are not Tomcat vulnerabilities
but have either been incorrectly reported against Tomcat or where Tomcat
provides a workaround are listed at the end of this page.
Please note that Tomcat 5.0.x and 5.5.x are no longer supported.
Further vulnerabilities in the 5.0.x and 5.5.x branches will not be
fixed. Users should upgrade to 8.5.x or later to obtain security fixes.
Vulnerabilities fixed in Tomcat 5.5.26 onwards have not been assessed to
determine if they are present in the 5.0.x branch.
Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 5.5 those are
building.html
in documentation (webapps/tomcat-docs
subdirectory of
a binary distributive) and BUILDING.txt
file in a source
distributive.
If you need help on building or configuring Tomcat or other help on
following the instructions to mitigate the known vulnerabilities listed
here, please send your questions to the public
Tomcat Users mailing list
If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has security
impact, or if the descriptions here are incomplete,
please report them privately to the
Tomcat Security Team. Thank you.
Table of Contents
- Fixed in Apache Tomcat 5.5.36
- Fixed in Apache Tomcat 5.5.35
- Fixed in Apache Tomcat 5.5.34
- Fixed in Apache Tomcat 5.5.32
- Fixed in Apache Tomcat 5.5.30
- Fixed in Apache Tomcat 5.5.29
- Fixed in Apache Tomcat 5.5.28
- Fixed in Apache Tomcat 5.5.27
- Fixed in Apache Tomcat 5.5.26
- Fixed in Apache Tomcat 5.5.25, 5.0.SVN
- Fixed in Apache Tomcat 5.5.24, 5.0.SVN
- Fixed in Apache Tomcat 5.5.23, 5.0.SVN
- Fixed in Apache Tomcat 5.5.22, 5.0.SVN
- Fixed in Apache Tomcat 5.5.21, 5.0.SVN
- Fixed in Apache Tomcat 5.5.21
- Fixed in Apache Tomcat 5.5.18, 5.0.SVN
- Fixed in Apache Tomcat 5.5.17, 5.0.SVN
- Fixed in Apache Tomcat 5.5.16, 5.0.SVN
- Fixed in Apache Tomcat 5.5.13, 5.0.SVN
- Fixed in Apache Tomcat 5.5.7, 5.0.SVN
- Fixed in Apache Tomcat 5.5.1
- Not a vulnerability in Tomcat
released 10 Oct 2012 Fixed in Apache Tomcat 5.5.36
Moderate: DIGEST authentication weakness
CVE-2012-3439
Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
- Tomcat tracked client rather than server nonces and nonce count.
- When a session ID was present, authentication was bypassed.
- The user name and password were not checked before when indicating
that a nonce was stale.
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.
This was fixed in revision 1392248.
The first issue was reported by Tilmann Kuhn to the Tomcat security team
on 19 July 2012. The second and third issues were discovered by the
Tomcat security team during the resulting code review. All three issues
were made public on 5 November 2012.
Affects: 5.5.0-5.5.35
released 16 Jan 2012 Fixed in Apache Tomcat 5.5.35
Important: Denial of service
CVE-2012-0022
Analysis of the recent hash collision vulnerability identified unrelated
inefficiencies with Apache Tomcat's handling of large numbers of
parameters and parameter values. These inefficiencies could allow an
attacker, via a specially crafted request, to cause large amounts of CPU
to be used which in turn could create a denial of service. The issue was
addressed by modifying the Tomcat parameter handling code to efficiently
process large numbers of parameters and parameter values.
This was fixed in revisions 1221282,
1224640 and
1228191.
This was identified by the Tomcat security team on 21 October 2011 and
made public on 17 January 2012.
Affects: 5.5.0-5.5.34
released 22 Sep 2011 Fixed in Apache Tomcat 5.5.34
Moderate: Multiple weaknesses in HTTP DIGEST authentication
CVE-2011-1184
Note: Mitre elected to break this issue down into multiple issues and
have allocated the following additional references to parts of this
issue:
CVE-2011-5062,
CVE-2011-5063 and
CVE-2011-5064. The Apache Tomcat security team will
continue to treat this as a single issue using the reference
CVE-2011-1184.
The implementation of HTTP DIGEST authentication was discovered to have
several weaknesses:
- replay attacks were permitted
- server nonces were not checked
- client nonce counts were not checked
- qop values were not checked
- realm values were not checked
- the server secret was hard-coded to a known string
The result of these weaknesses is that DIGEST authentication was only as
secure as BASIC authentication.
This was fixed in revision 1159309.
This was identified by the Tomcat security team on 16 March 2011 and
made public on 26 September 2011.
Affects: 5.5.0-5.5.33
Low: Information disclosure
CVE-2011-2204
When using the MemoryUserDatabase (based on tomcat-users.xml) and
creating users via JMX, an exception during the user creation process may
trigger an error message in the JMX client that includes the user's
password. This error message is also written to the Tomcat logs. User
passwords are visible to administrators with JMX access and/or
administrators with read access to the tomcat-users.xml file. Users that
do not have these permissions but are able to read log files may be able
to discover a user's password.
This was fixed in revision 1140072.
This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.
Affects: 5.5.0-5.5.33
Low: Information disclosure
CVE-2011-2526
Tomcat provides support for sendfile with the HTTP APR
connector. sendfile is used automatically for content served via the
DefaultServlet and deployed web applications may use it directly via
setting request attributes. These request attributes were not validated.
When running under a security manager, this lack of validation allowed a
malicious web application to do one or more of the following that would
normally be prevented by a security manager:
- return files to users that the security manager should make
inaccessible
- terminate (via a crash) the JVM
Additionally, these vulnerabilities only occur when all of the following
are true:
- untrusted web applications are being used
- the SecurityManager is used to limit the untrusted web applications
- the HTTP APR connector is used
- sendfile is enabled for the connector (this is the default)
This was fixed in revision 1158244.
This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.
Affects: 5.5.0-5.5.33
Important: Information disclosure
CVE-2011-2729
Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
capabilities allowing the application to access files and directories
owned by superuser. This vulnerability only occurs when all of the
following are true:
- Tomcat is running on a Linux operating system
- jsvc was compiled with libcap
- -user parameter is used
Affected Tomcat versions shipped with source files for jsvc that included
this vulnerability.
This was fixed in revision 1159346.
This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.
Affects: 5.5.32-5.5.33
Important: Authentication bypass and information disclosure
CVE-2011-3190
Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
Tomcat that includes the first part (or possibly all) of the request
body. In certain circumstances, Tomcat did not process this message as a
request body but as a new request. This permitted an attacker to have
full control over the AJP message permitting authentication bypass and
information disclosure. This vulnerability only occurs when all of the
following are true:
- The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
- POST requests are accepted
- The request body is not processed
This was fixed in revision 1162960.
This was reported publicly on 20th August 2011.
Affects: 5.5.0-5.5.33
Mitigation options:
- Upgrade to Tomcat 5.5.34.
- Apply the appropriate patch.
- Configure both Tomcat and the reverse proxy to use a shared secret.
(It is "request.secret
" attribute in AJP <Connector>,
"worker.workername.secret
" directive for mod_jk.
The mod_proxy_ajp module currently does not support shared secrets).
- Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
implementation.
(It is automatically selected if you do not have Tomcat-Native library
installed. It can be also selected explicitly:
<Connector protocol="org.apache.jk.server.JkCoyoteHandler">
).
References:
released 1 Feb 2011 Fixed in Apache Tomcat 5.5.32
Low: Cross-site scripting
CVE-2011-0013
The HTML Manager interface displayed web application provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administrative user when viewing the
manager pages.
This was fixed in revision 1057518.
This was identified by the Tomcat security team on 12 Nov 2010 and
made public on 5 Feb 2011.
Affects: 5.5.0-5.5.31
released 9 Jul 2010 Fixed in Apache Tomcat 5.5.30
Low: SecurityManager file permission bypass
CVE-2010-3718
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore,
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of. This vulnerability is only
applicable when hosting web applications from untrusted sources such as
shared hosting environments.
This was fixed in revision 1027610.
This was discovered by the Tomcat security team on 12 Oct 2010 and
made public on 5 Feb 2011.
Affects: 5.5.0-5.5.29
Important: Remote Denial Of Service and Information Disclosure
Vulnerability
CVE-2010-2227
Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
trigger this flaw which would cause subsequent requests to fail and/or
information to leak between requests. This flaw is mitigated if Tomcat is
behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
reject the invalid transfer encoding header.
This was fixed in revision 959428.
This was first reported to the Tomcat security team on 14 Jun 2010 and
made public on 9 Jul 2010.
Affects: 5.5.0-5.5.29
Low: Information disclosure in authentication headers
CVE-2010-1157
The WWW-Authenticate
HTTP header for BASIC and DIGEST
authentication includes a realm name. If a
<realm-name>
element is specified for the application
in web.xml it will be used. However, a <realm-name>
is not specified then Tomcat will generate realm name using the code
snippet request.getServerName() + ":" +
request.getServerPort()
. In some circumstances this can expose
the local host name or IP address of the machine running Tomcat.
This was fixed in revision 936541.
This was first reported to the Tomcat security team on 31 Dec 2009 and
made public on 21 Apr 2010.
Affects: 5.5.0-5.5.29
released 20 Apr 2010 Fixed in Apache Tomcat 5.5.29
Low: Arbitrary file deletion and/or alteration on deploy
CVE-2009-2693
When deploying WAR files, the WAR files were not checked for directory
traversal attempts. This allows an attacker to create arbitrary content
outside of the web root by including entries such as
../../bin/catalina.sh
in the WAR.
This was fixed in revision 902650.
This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.
Affects: 5.5.0-5.5.28
Low: Insecure partial deploy after failed undeploy
CVE-2009-2901
By default, Tomcat automatically deploys any directories placed in a
host's appBase. This behaviour is controlled by the autoDeploy attribute
of a host which defaults to true. After a failed undeploy, the remaining
files will be deployed as a result of the autodeployment process.
Depending on circumstances, files normally protected by one or more
security constraints may be deployed without those security constraints,
making them accessible without authentication. This issue only affects
Windows platforms
This was fixed in revision 902650.
This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.
Affects: 5.5.0-5.5.28 (Windows only)
Low: Unexpected file deletion in work directory
CVE-2009-2902
When deploying WAR files, the WAR file names were not checked for
directory traversal attempts. For example, deploying and undeploying
...war
allows an attacker to cause the deletion of the
current contents of the host's work directory which may cause problems
for currently running applications.
This was fixed in revision 902650.
This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.
Affects: 5.5.0-5.5.28
Low: Insecure default password
CVE-2009-3548
The Windows installer defaults to a blank password for the administrative
user. If this is not changed during the install process, then by default
a user is created with the name admin, roles admin and manager and a
blank password.
Affects: 5.5.0-5.5.28
This was first reported to the Tomcat security team on 26 Oct 2009 and
made public on 9 Nov 2009.
This was fixed in revision 919006.
released 4 Sep 2009 Fixed in Apache Tomcat 5.5.28
Important: Information Disclosure
CVE-2008-5515
When using a RequestDispatcher obtained from the Request, the target path
was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.
This was fixed in revisions 782757 and
783291.
This was first reported to the Tomcat security team on 11 Dec 2008 and
made public on 8 Jun 2009.
Affects: 5.5.0-5.5.27
Important: Denial of Service
CVE-2009-0033
If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
connection. In case this connector is member of a mod_jk load balancing
worker, this member will be put into an error state and will be blocked
from use for approximately one minute. Thus the behaviour can be used for
a denial of service attack using a carefully crafted request.
This was fixed in revision 781362.
This was first reported to the Tomcat security team on 26 Jan 2009 and
made public on 3 Jun 2009.
Affects: 5.5.0-5.5.27
Low: Information disclosure
CVE-2009-0580
Due to insufficient error checking in some authentication classes, Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if FORM
based authentication (j_security_check) is used with the MemoryRealm.
Note that in early versions, the DataSourceRealm and JDBCRealm were also
affected.
This was fixed in revision 781379.
This was first reported to the Tomcat security team on 25 Feb 2009 and
made public on 3 Jun 2009.
Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
Realms)
Low: Cross-site scripting
CVE-2009-0781
The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.
This was fixed in revision 750928.
This was first reported to the Tomcat security team on 5 Mar 2009 and
made public on 6 Mar 2009.
Affects: 5.5.0-5.5.27
Low: Information disclosure
CVE-2009-0783
Bugs 29936 and 45933 allowed a web application
to replace the XML parser used by
Tomcat to process web.xml, context.xml and tld files. In limited
circumstances these bugs may allow a rogue web application to view and/or
alter the web.xml, context.xml and tld files of other web applications
deployed on the Tomcat instance.
This was fixed in revisions 681156 and
781542.
This was first reported to the Tomcat security team on 2 Mar 2009 and
made public on 4 Jun 2009.
Affects: 5.5.0-5.5.27
released 8 Sep 2008 Fixed in Apache Tomcat 5.5.27
Low: Cross-site scripting
CVE-2008-1232
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of
HTTP response. This may include characters that are illegal in HTTP
headers. It is possible for a specially crafted message to result in
arbitrary content being injected into the HTTP response. For a successful
XSS attack, unfiltered user supplied data must be included in the message
argument.
This was fixed in revision 680947.
This was first reported to the Tomcat security team on 24 Jan 2008 and
made public on 1 Aug 2008.
Affects: 5.5.0-5.5.26
Low: Cross-site scripting
CVE-2008-1947
The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application
now filters the data before use. This issue may be mitigated by logging
out (closing the browser) of the application once the management tasks
have been completed.
This was fixed in revision 662583.
This was first reported to the Tomcat security team on 15 May 2008 and
made public on 28 May 2008.
Affects: 5.5.9-5.5.26
Important: Information disclosure
CVE-2008-2370
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.
This was fixed in revision 680949.
This was first reported to the Tomcat security team on 13 Jun 2008 and
made public on 1 August 2008.
Affects: 5.5.0-5.5.26
released 5 Feb 2008 Fixed in Apache Tomcat 5.5.26
Low: Session hi-jacking
CVE-2007-5333
The previous fix for CVE-2007-3385 was incomplete. It did
not consider the use of quotes or %5C within a cookie value.
Affects: 5.5.0-5.5.25
Low: Elevated privileges
CVE-2007-5342
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict
this configuration and allows an untrusted web application to add files
or overwrite existing files where the Tomcat process has the necessary
file permissions to do so.
Affects: 5.5.9-5.5.25
Important: Information disclosure
CVE-2007-5461
When Tomcat's WebDAV servlet is configured for use with a context and
has been enabled for write, some WebDAV requests that specify an entity
with a SYSTEM tag can result in the contents of arbitary files being
returned to the client.
Affects: 5.5.0-5.5.25
Important: Data integrity
CVE-2007-6286
When using the native (APR based) connector, connecting to the SSL port
using netcat and then disconnecting without sending any data will cause
tomcat to handle a duplicate copy of one of the recent requests.
Affects: 5.5.11-5.5.25
released 8 Sep 2007 Fixed in Apache Tomcat 5.5.25, 5.0.SVN
Low: Cross-site scripting
CVE-2007-2449
JSPs within the examples web application did not escape user provided
data before including it in the output. This enabled a XSS attack. These
JSPs now filter the data before use. This issue may be mitigated by
undeploying the examples web application. Note that it is recommended
that the examples web application is not installed on a production
system.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
Low: Cross-site scripting
CVE-2007-2450
The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
attack. These applications now filter the data before use. This issue may
be mitigated by logging out (closing the browser) of the application once
the management tasks have been completed.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
Low: Session hi-jacking
CVE-2007-3382
Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
Low: Session hi-jacking
CVE-2007-3385
Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
session ID to an attacker.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
Low: Cross-site scripting
CVE-2007-3386
The Host Manager Servlet did not filter user supplied data before
display. This enabled an XSS attack.
Affects: 5.5.0-5.5.24
Not released Fixed in Apache Tomcat 5.5.24, 5.0.SVN
Moderate: Cross-site scripting
CVE-2007-1355
The JSP and Servlet included in the sample application within the Tomcat
documentation webapp did not escape user provided data before including
it in the output. This enabled a XSS attack. These pages have been
simplified not to use any user provided data in the output.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.23
released 9 Mar 2007 Fixed in Apache Tomcat 5.5.23, 5.0.SVN
Important: Information disclosure
CVE-2005-2090
Requests with multiple content-length headers should be rejected as
invalid. When multiple components (firewalls, caches, proxies and Tomcat)
process a sequence of requests where one or more requests contain
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length header to use an attacker can poison a web-cache, perform
an XSS attack and obtain sensitive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.22
not released Fixed in Apache Tomcat 5.5.22, 5.0.SVN
Important: Directory traversal
CVE-2007-0450
The fix for this issue was insufficient. A fix was also required in the
JK connector module for httpd. See CVE-2007-1860 for further
information.
Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with
mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request
containing strings like "/\../" may allow attackers to work around the context
restriction of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide
additional control of the handling of path delimiters in URLs (both options
default to false):
-
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH
: true|false
-
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH
: true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as
they are in proxy servers, Tomcat should always be secured as if no proxy
restricting context access was used.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.21
not released Fixed in Apache Tomcat 5.5.21, 5.0.SVN
Low: Cross-site scripting
CVE-2007-1358
Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
Flash files to make requests with such custom headers. When generating
the response for getLocale()
and getLocales()
,
Tomcat now ignores values for Accept-Language headers that do not conform
to RFC 2616. Applications that use the raw header values directly should
not assume that the headers conform to RFC 2616 and should filter the
values appropriately.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.20
not released Fixed in Apache Tomcat 5.5.21
Moderate: Session hi-jacking
CVE-2008-0128
When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
transmitted without the "secure" attribute, resulting in it being
transmitted to any content that is - by purpose or error - requested via
http from the same server.
Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20
Low: Information disclosure
CVE-2008-4308
Bug
40771 may result in the disclosure of POSTed content from a previous
request. For a vulnerability to exist, the content read from the input
stream must be disclosed, eg via writing it to the response and committing
the response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.
Affects: 5.5.10-5.5.20 (5.0.x unknown)
not released Fixed in Apache Tomcat 5.5.18, 5.0.SVN
Moderate: Cross-site scripting
CVE-2006-7195
The implicit-objects.jsp in the examples webapp displayed a number of
unfiltered header values. This enabled a XSS attack. These values are now
filtered.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.17
released 27 Apr 2006 Fixed in Apache Tomcat 5.5.17, 5.0.SVN
Important: Information disclosure
CVE-2007-1858
The default SSL configuration permitted the use of insecure cipher suites
including the anonymous cipher suite. The default configuration no
longer permits the use of insecure cipher suites.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.16
released 15 Mar 2006 Fixed in Apache Tomcat 5.5.16, 5.0.SVN
Low: Cross-site scripting
CVE-2006-7196
The calendar application included as part of the JSP examples is
susceptible to a cross-site scripting attack as it does not escape
user provided data before including it in the returned page.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.15
Fixed in Apache Tomcat 5.5.13, 5.0.SVN
Low: Directory listing
CVE-2006-3835
This is expected behaviour when directory listings are enabled. The
semicolon (;) is the separator for path parameters so inserting one
before a file name changes the request into a request for a directory
with a path parameter. If directory listings are enabled, a directory
listing will be shown. In response to this and other directory listing
issues, directory listings were changed to be disabled by default.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.12
Important: Denial of service
CVE-2005-3510
The root cause is the relatively expensive calls required to generate
the content for the directory listings. If directory listings are
enabled, the number of files in each directory should be kept to a
minimum. In response to this issue, directory listings were changed to
be disabled by default. Additionally, a
patch has been proposed that would improve performance, particularly
for large directories, by caching directory listings.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.12
Fixed in Apache Tomcat 5.5.7, 5.0.SVN
Low: Cross-site scripting
CVE-2005-4838
Various JSPs included as part of the JSP examples and the Tomcat Manager
are susceptible to a cross-site scripting attack as they do not escape
user provided data before including it in the returned page.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.6
Fixed in Apache Tomcat 5.5.1
Low: Information disclosure
CVE-2008-3271
Bug 25835 can, in rare circumstances - this has only been reproduced
using a debugger to force a particular processing sequence for two threads -
allow a user from a non-permitted IP address to gain access to a context
that is protected with a valve that extends RequestFilterValve. This includes
the standard RemoteAddrValve and RemoteHostValve implementations.
Affects: 5.5.0 (5.0.x unknown)
Not a vulnerability in Tomcat
Important: Remote Denial Of Service
CVE-2010-4476
A JVM bug could cause Double conversion to hang JVM when accessing to a
form based security constrained page or any page that calls
javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales(). A specially crafted request
can be used to trigger a denial of service.
A work-around for this JVM bug was provided in
revision 1066318.
This work-around is included in Tomcat 5.5.33 onwards.
This was first reported to the Tomcat security team on 01 Feb 2011 and
made public on 31 Jan 2011.
Affects: 5.5.0-5.5.32
Moderate: TLS SSL Man In The Middle
CVE-2009-3555
A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.
The TLS implementation used by Tomcat varies with connector. The blocking
IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
provided by the JVM. The APR/native connector uses OpenSSL.
The BIO connector is vulnerable if the JSSE version used is vulnerable.
To workaround this until a fix is available in JSSE, a new connector
attribute allowUnsafeLegacyRenegotiation
has been added to
the BIO connector. It should be set to false
(the default)
to protect against this vulnerability.
The NIO connector is not vulnerable as it does not support
renegotiation.
The APR/native workarounds are detailed on the
APR/native connector security page.
Users should be aware that the impact of disabling renegotiation will
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the
application.
A workaround was implemented in
revision 904851
that provided the new allowUnsafeLegacyRenegotiation
attribute. This work around is included in Tomcat 5.5.29 onwards.
Support for the new TLS renegotiation protocol (RFC 5746) that does not
have this security issue:
- For connectors using JSSE implementation provided by JVM:
Added in Tomcat 5.5.33.
Requires JRE that supports RFC 5746. For Oracle JRE that is
known
to be 6u22 or later.
- For connectors using APR and OpenSSL:
TBD. See
APR/native connector security page.
Important: Directory traversal
CVE-2008-2938
Originally reported as a Tomcat vulnerability the root cause of this
issue is that the JVM does not correctly decode UTF-8 encoded URLs to
UTF-8. This exposes a directory traversal vulnerability when the
connector uses URIEncoding="UTF-8"
. This directory traversal
is limited to the docBase of the web application.
If a context is configured with allowLinking="true"
then the
directory traversal vulnerability is extended to the entire file system
of the host server.
It should also be noted that setting
useBodyEncodingForURI="true"
has the same effect as setting
URIEncoding="UTF-8"
when processing requests with bodies
encoded with UTF-8.
Although the root cause was quickly identified as a JVM issue and that it
affected multiple JVMs from multiple vendors, it was decided to report
this as a Tomcat vulnerability until such time as the JVM vendors
provided updates to resolve this issue. For further information on the
status of this issue for your JVM, contact your JVM vendor.
A workaround was implemented in
revision 681029
that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 5.5.27 onwards.
JavaMail information disclosure
CVE-2005-1754
The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.
JavaMail information disclosure
CVE-2005-1753
The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.