CVE-2008-3271
First published: Mon Oct 13 2008(Updated: )
Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tomcat | =4.1.2 | |
| Tomcat | =4.1.21 | |
| Tomcat | =4.1.24 | |
| Tomcat | =4.1.25 | |
| Tomcat | =4.1.4 | |
| Tomcat | =4.1.27 | |
| Tomcat | =4.1.30 | |
| Tomcat | =4.1.7 | |
| Tomcat | =4.1.11 | |
| Tomcat | =4.1.18 | |
| Tomcat | =4.1.14 | |
| Tomcat | =4.1.19 | |
| Tomcat | =4.1.31 | |
| Tomcat | =4.1.16 | |
| Tomcat | =4.1.29 | |
| Tomcat | =4.1.22 | |
| Tomcat | =4.1.5 | |
| Tomcat | =4.1.26 | |
| Tomcat | =4.1.13 | |
| Tomcat | =4.1.8 | |
| Tomcat | =4.1.17 | |
| Tomcat | =5.5.0 | |
| Tomcat | =4.1.1 | |
| Tomcat | =4.1.12 | |
| Tomcat | =4.1.28 | |
| Tomcat | =4.1.15 | |
| Tomcat | =4.1.3-beta | |
| Tomcat | =4.1.10 | |
| Tomcat | =4.1.0 | |
| Tomcat | =4.1.20 | |
| Tomcat | =4.1.3 | |
| Tomcat | =4.1.23 | |
| Tomcat | =4.1.6 | |
| Tomcat | =4.1.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://jvn.jp/en/jp/JVN30732239/index.html
- http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000069.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00012.html
- http://secunia.com/advisories/32213
- http://secunia.com/advisories/32234
- http://secunia.com/advisories/32398
- http://secunia.com/advisories/35684
- http://securityreason.com/securityalert/4396
- http://tomcat.apache.org/security-4.html
- http://tomcat.apache.org/security-5.html
- http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html
- http://www.nec.co.jp/security-info/secinfo/nv09-006.html
- http://www.securityfocus.com/archive/1/497220/100/0/threaded
- http://www.securityfocus.com/bid/31698
- http://www.securitytracker.com/id?1021039
- http://www.vupen.com/english/advisories/2008/2793
- http://www.vupen.com/english/advisories/2008/2800
- http://www.vupen.com/english/advisories/2009/1818
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45791
- https://issues.apache.org/bugzilla/show_bug.cgi?id=25835
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Frequently Asked Questions
What is the vulnerability in CVE-2008-3271?
CVE-2008-3271 allows remote attackers to bypass IP address restrictions and access sensitive information due to thread synchronization issues in Apache Tomcat.
What versions of Apache Tomcat are affected by CVE-2008-3271?
CVE-2008-3271 affects Apache Tomcat versions 4.1.0 through 4.1.31 and 5.5.0.
What are the potential impacts of CVE-2008-3271?
The vulnerability can lead to an instance-variable overwrite, potentially exposing sensitive data and compromising system integrity.
How do I fix CVE-2008-3271?
To fix CVE-2008-3271, upgrade Apache Tomcat to a secure version that is not vulnerable, specifically versions later than 4.1.31 or 5.5.0.
Is CVE-2008-3271 a critical vulnerability?
CVE-2008-3271 is considered a significant vulnerability due to its potential to allow unauthorized access and exposure of sensitive information.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/apache
- canonical/tomcat
- version/tomcat/4.1.2
- version/tomcat/4.1.21
- version/tomcat/4.1.24
- version/tomcat/4.1.25
- version/tomcat/4.1.4
- version/tomcat/4.1.27
- version/tomcat/4.1.30
- version/tomcat/4.1.7
- version/tomcat/4.1.11
- version/tomcat/4.1.18
- version/tomcat/4.1.14
- version/tomcat/4.1.19
- version/tomcat/4.1.31
- version/tomcat/4.1.16
- version/tomcat/4.1.29
- version/tomcat/4.1.22
- version/tomcat/4.1.5
- version/tomcat/4.1.26
- version/tomcat/4.1.13
- version/tomcat/4.1.8
- version/tomcat/4.1.17
- version/tomcat/5.5.0
- version/tomcat/4.1.1
- version/tomcat/4.1.12
- version/tomcat/4.1.28
- version/tomcat/4.1.15
- version/tomcat/4.1.3-beta
- version/tomcat/4.1.10
- version/tomcat/4.1.0
- version/tomcat/4.1.20
- version/tomcat/4.1.3
- version/tomcat/4.1.23
- version/tomcat/4.1.6
- version/tomcat/4.1.9