lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Jan 2012 11:34:52 +0000 From: Mark Thomas <markt@...che.org> To: Tomcat Users List <users@...cat.apache.org> CC: Tomcat Announce List <announce@...cat.apache.org>, announce@...che.org, Tomcat Developers List <dev@...cat.apache.org>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [SECURITY] CVE-2011-3375 Apache Tomcat Information disclosure CVE-2011-3375 Apache Tomcat Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.21 - Tomcat 6.0.30 to 6.0.33 - Earlier versions are not affected Description: For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.22 or later - Tomcat 6.0.x users should upgrade to 6.0.35 or later Credit: The issue was initially reported via Apache Tomcat's public issue tracker with the potential security implications identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html https://issues.apache.org/bugzilla/show_bug.cgi?id=51872
Powered by blists - more mailing lists