RHSA-2009:1562: Important: tomcat security update
First published: Mon Nov 09 2009(Updated: )
Apache Tomcat is a servlet container for the Java Servlet and JavaServer<br>Pages (JSP) technologies.<br>It was discovered that the Red Hat Security Advisory RHSA-2007:0876 did not<br>address all possible flaws in the way Tomcat handles certain characters and<br>character sequences in cookie values. A remote attacker could use this flaw<br>to obtain sensitive information, such as session IDs, and then use this<br>information for session hijacking attacks. (CVE-2007-5333)<br>Note: The fix for the CVE-2007-5333 flaw changes the default cookie<br>processing behavior: With this update, version 0 cookies that contain<br>values that must be quoted to be valid are automatically changed to version<br>1 cookies. To reactivate the previous, but insecure behavior, add the<br>following entry to the "/etc/tomcat5/catalina.properties" file:<br>org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false<br>It was discovered that request dispatchers did not properly normalize user<br>requests that have trailing query strings, allowing remote attackers to<br>send specially-crafted requests that would cause an information leak.<br>(CVE-2008-5515)<br>A flaw was found in the way the Tomcat AJP (Apache JServ Protocol)<br>connector processes AJP connections. An attacker could use this flaw to<br>send specially-crafted requests that would cause a temporary denial of<br>service. (CVE-2009-0033)<br>It was discovered that the error checking methods of certain authentication<br>classes did not have sufficient error checking, allowing remote attackers<br>to enumerate (via brute force methods) usernames registered with<br>applications running on Tomcat when FORM-based authentication was used.<br>(CVE-2009-0580)<br>A cross-site scripting (XSS) flaw was found in the examples calendar<br>application. With some web browsers, remote attackers could use this flaw<br>to inject arbitrary web script or HTML via the "time" parameter.<br>(CVE-2009-0781)<br>It was discovered that web applications containing their own XML parsers<br>could replace the XML parser Tomcat uses to parse configuration files. A<br>malicious web application running on a Tomcat instance could read or,<br>potentially, modify the configuration and XML-based data of other web<br>applications deployed on the same Tomcat instance. (CVE-2009-0783)<br>Users of Tomcat should upgrade to these updated packages, which contain<br>backported patches to resolve these issues. Tomcat must be restarted for<br>this update to take effect.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=427766
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=489028
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=493381
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503978
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504153
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=504753
- http://tomcat.apache.org/security-5.html
- http://www.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2009:1562 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2009:1562
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness