- Vulnerability/
- RHSA-2008:0862
RHSA-2008:0862: Important: tomcat security update
First published: Thu Oct 02 2008(Updated: )
Apache Tomcat is a servlet container for the Java Servlet and JavaServer<br>Pages (JSP) technologies.<br>The default security policy in the JULI logging component did not restrict<br>access permissions to files. This could be misused by untrusted web<br>applications to access and write arbitrary files in the context of the<br>Tomcat process. (CVE-2007-5342)<br>A directory traversal vulnerability was discovered in the Apache Tomcat<br>webdav servlet. Under certain configurations, this allowed remote,<br>authenticated users to read files accessible to the local Tomcat process.<br>(CVE-2007-5461)<br>A cross-site scripting vulnerability was discovered in the<br>HttpServletResponse.sendError() method. A remote attacker could inject<br>arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232)<br>An additional cross-site scripting vulnerability was discovered in the host<br>manager application. A remote attacker could inject arbitrary web script or<br>HTML via the hostname parameter. (CVE-2008-1947)<br>A traversal vulnerability was discovered when using a RequestDispatcher<br>in combination with a servlet or JSP. A remote attacker could utilize a<br>specially-crafted request parameter to access protected web resources.<br>(CVE-2008-2370)<br>An additional traversal vulnerability was discovered when the<br>"allowLinking" and "URIencoding" settings were activated. A remote attacker<br>could use a UTF-8-encoded request to extend their privileges and obtain<br>local files accessible to the Tomcat process. (CVE-2008-2938)<br>Users of tomcat should upgrade to these updated packages, which contain<br>backported patches to resolve these issues.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=333791
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=427216
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=446393
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456120
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=457597
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=457934
- http://tomcat.apache.org/security-5.html
- http://www.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2008:0862 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2008:0862