CVE-2008-5519: Infoleak
First published: Fri Mar 13 2009(Updated: )
An issue with mod_jk 1.2.26, and possibly older versions, allows one user to see another user's information due to missing logic where faulty clients set Content-Length without providing data, or if a user submits too many times very fast. The relevant changelog entry in mod_jk 1.2.27 that corrects the issue is: "AJP13: Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk)" from <a href="http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html">http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Mod Jk | =1.2 | |
| Apache Mod Jk | =1.2.1 | |
| Apache Mod Jk | =1.2.6 | |
| Apache Mod Jk | =1.2.7 | |
| Apache Mod Jk | =1.2.8 | |
| Apache Mod Jk | =1.2.9 | |
| Apache Mod Jk | =1.2.10 | |
| Apache Mod Jk | =1.2.11 | |
| Apache Mod Jk | =1.2.12 | |
| Apache Mod Jk | =1.2.13 | |
| Apache Mod Jk | =1.2.14 | |
| Apache Mod Jk | =1.2.14.1 | |
| Apache Mod Jk | =1.2.15 | |
| Apache Mod Jk | =1.2.16 | |
| Apache Mod Jk | =1.2.17 | |
| Apache Mod Jk | =1.2.18 | |
| Apache Mod Jk | =1.2.19 | |
| Apache Mod Jk | =1.2.20 | |
| Apache Mod Jk | =1.2.21 | |
| Apache Mod Jk | =1.2.22 | |
| Apache Mod Jk | =1.2.23 | |
| Apache Mod Jk | =1.2.24 | |
| Apache Mod Jk | =1.2.25 | |
| Apache Mod Jk | =1.2.26 | |
| Apache Tomcat | =4.0.0 | |
| Apache Tomcat | =4.0.1 | |
| Apache Tomcat | =4.0.2 | |
| Apache Tomcat | =4.0.3 | |
| Apache Tomcat | =4.0.4 | |
| Apache Tomcat | =4.0.5 | |
| Apache Tomcat | =4.0.6 | |
| Apache Tomcat | =4.1.0 | |
| Apache Tomcat | =4.1.1 | |
| Apache Tomcat | =4.1.2 | |
| Apache Tomcat | =4.1.3 | |
| Apache Tomcat | =4.1.3-beta | |
| Apache Tomcat | =4.1.4 | |
| Apache Tomcat | =4.1.5 | |
| Apache Tomcat | =4.1.6 | |
| Apache Tomcat | =4.1.7 | |
| Apache Tomcat | =4.1.8 | |
| Apache Tomcat | =4.1.9 | |
| Apache Tomcat | =4.1.9-beta | |
| Apache Tomcat | =4.1.10 | |
| Apache Tomcat | =4.1.11 | |
| Apache Tomcat | =4.1.12 | |
| Apache Tomcat | =4.1.13 | |
| Apache Tomcat | =4.1.14 | |
| Apache Tomcat | =4.1.15 | |
| Apache Tomcat | =4.1.16 | |
| Apache Tomcat | =4.1.17 | |
| Apache Tomcat | =4.1.18 | |
| Apache Tomcat | =4.1.19 | |
| Apache Tomcat | =4.1.20 | |
| Apache Tomcat | =4.1.21 | |
| Apache Tomcat | =4.1.22 | |
| Apache Tomcat | =4.1.23 | |
| Apache Tomcat | =4.1.24 | |
| Apache Tomcat | =4.1.25 | |
| Apache Tomcat | =4.1.26 | |
| Apache Tomcat | =4.1.27 | |
| Apache Tomcat | =4.1.28 | |
| Apache Tomcat | =4.1.29 | |
| Apache Tomcat | =4.1.30 | |
| Apache Tomcat | =4.1.31 | |
| Apache Tomcat | =4.1.32 | |
| Apache Tomcat | =4.1.33 | |
| Apache Tomcat | =4.1.34 | |
| Apache Tomcat | =4.1.35 | |
| Apache Tomcat | =4.1.36 | |
| Apache Tomcat | =5.0.0 | |
| Apache Tomcat | =5.0.1 | |
| Apache Tomcat | =5.0.2 | |
| Apache Tomcat | =5.0.3 | |
| Apache Tomcat | =5.0.4 | |
| Apache Tomcat | =5.0.5 | |
| Apache Tomcat | =5.0.6 | |
| Apache Tomcat | =5.0.7 | |
| Apache Tomcat | =5.0.8 | |
| Apache Tomcat | =5.0.9 | |
| Apache Tomcat | =5.0.10 | |
| Apache Tomcat | =5.0.11 | |
| Apache Tomcat | =5.0.12 | |
| Apache Tomcat | =5.0.13 | |
| Apache Tomcat | =5.0.14 | |
| Apache Tomcat | =5.0.15 | |
| Apache Tomcat | =5.0.16 | |
| Apache Tomcat | =5.0.17 | |
| Apache Tomcat | =5.0.18 | |
| Apache Tomcat | =5.0.19 | |
| Apache Tomcat | =5.0.21 | |
| Apache Tomcat | =5.0.22 | |
| Apache Tomcat | =5.0.23 | |
| Apache Tomcat | =5.0.24 | |
| Apache Tomcat | =5.0.25 | |
| Apache Tomcat | =5.0.26 | |
| Apache Tomcat | =5.0.27 | |
| Apache Tomcat | =5.0.28 | |
| Apache Tomcat | =5.0.29 | |
| Apache Tomcat | =5.0.30 | |
| Apache Tomcat | =5.5.0 | |
| Apache Tomcat | =5.5.1 | |
| Apache Tomcat | =5.5.2 | |
| Apache Tomcat | =5.5.3 | |
| Apache Tomcat | =5.5.4 | |
| Apache Tomcat | =5.5.5 | |
| Apache Tomcat | =5.5.6 | |
| Apache Tomcat | =5.5.7 | |
| Apache Tomcat | =5.5.8 | |
| Apache Tomcat | =5.5.9 | |
| Apache Tomcat | =5.5.10 | |
| Apache Tomcat | =5.5.11 | |
| Apache Tomcat | =5.5.12 | |
| Apache Tomcat | =5.5.13 | |
| Apache Tomcat | =5.5.14 | |
| Apache Tomcat | =5.5.15 | |
| Apache Tomcat | =5.5.16 | |
| Apache Tomcat | =5.5.17 | |
| Apache Tomcat | =5.5.18 | |
| Apache Tomcat | =5.5.19 | |
| Apache Tomcat | =5.5.20 | |
| Apache Tomcat | =5.5.21 | |
| Apache Tomcat | =5.5.22 | |
| Apache Tomcat | =5.5.23 | |
| Apache Tomcat | =5.5.24 | |
| Apache Tomcat | =5.5.25 | |
| Apache Tomcat | =5.5.26 | |
| Apache Tomcat | =5.5.27 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
- http://svn.eu.apache.org/viewvc?view=rev&revision=702540
- http://marc.info/?l=tomcat-dev&m=123913700700879
- https://rhn.redhat.com/errata/RHSA-2009-0446.html
- https://rhn.redhat.com/errata/RHSA-2009-1087.html
- https://rhn.redhat.com/errata/RHSA-2009-1618.html
- https://bugzilla.redhat.com/show_bug.cgi?id=490201
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
- http://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%3C49DBBAC0.2080400%40apache.org%3E
- http://secunia.com/advisories/29283
- http://secunia.com/advisories/34621
- http://secunia.com/advisories/35537
- http://securitytracker.com/id?1022001
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1
- http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?r1=702387&r2=702540&pathrev=702540&diff_format=h
- http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=markup&pathrev=702540
- http://tomcat.apache.org/security-jk.html
- http://www.debian.org/security/2009/dsa-1810
- http://www.openwall.com/lists/oss-security/2009/04/08/10
- http://www.redhat.com/support/errata/RHSA-2009-0446.html
- http://www.securityfocus.com/archive/1/502530/100/0/threaded
- http://www.securityfocus.com/bid/34412
- http://www.vupen.com/english/advisories/2009/0973
- https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E
- collector/redhat-bugzilla
- alias/CVE-2008-5519
- collector/nvd-index
- collector/nvd-historical
- agent/weakness
- agent/severity
- agent/references
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/author
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- vendor/apache
- canonical/apache mod jk
- version/apache mod jk/1.2
- version/apache mod jk/1.2.1
- version/apache mod jk/1.2.6
- version/apache mod jk/1.2.7
- version/apache mod jk/1.2.8
- version/apache mod jk/1.2.9
- version/apache mod jk/1.2.10
- version/apache mod jk/1.2.11
- version/apache mod jk/1.2.12
- version/apache mod jk/1.2.13
- version/apache mod jk/1.2.14
- version/apache mod jk/1.2.14.1
- version/apache mod jk/1.2.15
- version/apache mod jk/1.2.16
- version/apache mod jk/1.2.17
- version/apache mod jk/1.2.18
- version/apache mod jk/1.2.19
- version/apache mod jk/1.2.20
- version/apache mod jk/1.2.21
- version/apache mod jk/1.2.22
- version/apache mod jk/1.2.23
- version/apache mod jk/1.2.24
- version/apache mod jk/1.2.25
- version/apache mod jk/1.2.26
- canonical/apache tomcat
- version/apache tomcat/4.0.0
- version/apache tomcat/4.0.1
- version/apache tomcat/4.0.2
- version/apache tomcat/4.0.3
- version/apache tomcat/4.0.4
- version/apache tomcat/4.0.5
- version/apache tomcat/4.0.6
- version/apache tomcat/4.1.0
- version/apache tomcat/4.1.1
- version/apache tomcat/4.1.2
- version/apache tomcat/4.1.3
- version/apache tomcat/4.1.3-beta
- version/apache tomcat/4.1.4
- version/apache tomcat/4.1.5
- version/apache tomcat/4.1.6
- version/apache tomcat/4.1.7
- version/apache tomcat/4.1.8
- version/apache tomcat/4.1.9
- version/apache tomcat/4.1.9-beta
- version/apache tomcat/4.1.10
- version/apache tomcat/4.1.11
- version/apache tomcat/4.1.12
- version/apache tomcat/4.1.13
- version/apache tomcat/4.1.14
- version/apache tomcat/4.1.15
- version/apache tomcat/4.1.16
- version/apache tomcat/4.1.17
- version/apache tomcat/4.1.18
- version/apache tomcat/4.1.19
- version/apache tomcat/4.1.20
- version/apache tomcat/4.1.21
- version/apache tomcat/4.1.22
- version/apache tomcat/4.1.23
- version/apache tomcat/4.1.24
- version/apache tomcat/4.1.25
- version/apache tomcat/4.1.26
- version/apache tomcat/4.1.27
- version/apache tomcat/4.1.28
- version/apache tomcat/4.1.29
- version/apache tomcat/4.1.30
- version/apache tomcat/4.1.31
- version/apache tomcat/4.1.32
- version/apache tomcat/4.1.33
- version/apache tomcat/4.1.34
- version/apache tomcat/4.1.35
- version/apache tomcat/4.1.36
- version/apache tomcat/5.0.0
- version/apache tomcat/5.0.1
- version/apache tomcat/5.0.2
- version/apache tomcat/5.0.3
- version/apache tomcat/5.0.4
- version/apache tomcat/5.0.5
- version/apache tomcat/5.0.6
- version/apache tomcat/5.0.7
- version/apache tomcat/5.0.8
- version/apache tomcat/5.0.9
- version/apache tomcat/5.0.10
- version/apache tomcat/5.0.11
- version/apache tomcat/5.0.12
- version/apache tomcat/5.0.13
- version/apache tomcat/5.0.14
- version/apache tomcat/5.0.15
- version/apache tomcat/5.0.16
- version/apache tomcat/5.0.17
- version/apache tomcat/5.0.18
- version/apache tomcat/5.0.19
- version/apache tomcat/5.0.21
- version/apache tomcat/5.0.22
- version/apache tomcat/5.0.23
- version/apache tomcat/5.0.24
- version/apache tomcat/5.0.25
- version/apache tomcat/5.0.26
- version/apache tomcat/5.0.27
- version/apache tomcat/5.0.28
- version/apache tomcat/5.0.29
- version/apache tomcat/5.0.30
- version/apache tomcat/5.5.0
- version/apache tomcat/5.5.1
- version/apache tomcat/5.5.2
- version/apache tomcat/5.5.3
- version/apache tomcat/5.5.4
- version/apache tomcat/5.5.5
- version/apache tomcat/5.5.6
- version/apache tomcat/5.5.7
- version/apache tomcat/5.5.8
- version/apache tomcat/5.5.9
- version/apache tomcat/5.5.10
- version/apache tomcat/5.5.11
- version/apache tomcat/5.5.12
- version/apache tomcat/5.5.13
- version/apache tomcat/5.5.14
- version/apache tomcat/5.5.15
- version/apache tomcat/5.5.16
- version/apache tomcat/5.5.17
- version/apache tomcat/5.5.18
- version/apache tomcat/5.5.19
- version/apache tomcat/5.5.20
- version/apache tomcat/5.5.21
- version/apache tomcat/5.5.22
- version/apache tomcat/5.5.23
- version/apache tomcat/5.5.24
- version/apache tomcat/5.5.25
- version/apache tomcat/5.5.26
- version/apache tomcat/5.5.27