[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B5CC17B.4030708@apache.org>
Date: Sun, 24 Jan 2010 16:54:03 -0500
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>,
Tomcat Developers List <dev@...cat.apache.org>,
announce@...cat.apache.org, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com, announce@...che.org
Subject: [SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or
alteration
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also
affected.
Description:
When deploying WAR files, the WAR files were not checked for directory
traversal attempts. This allows an attacker to create arbitrary content
outside of the web root.
Mitigation:
6.0.x users should upgrade to 6.0.24 or apply this patch:
http://svn.apache.org/viewvc?rev=892815&view=rev
5.5.x users should upgrade to 5.5.29 when released or apply this patch:
http://svn.apache.org/viewvc?rev=902650&view=rev
Note: the patches also address CVE-2009-2901 and CVE-2009-2902.
Alternatively, users of all Tomcat versions may mitigate this issue by
manually validating the contents of untrusted WAR files before deployment.
Example:
A WAR file that contains the following entry will overwrite the standard
Windows start-up script when deployed on a default Tomcat installation:
../../bin/catalina.bat
Credit:
This issue was reported to the Apache Tomcat security team by Marc
Schoenefeld of the Red Hat Security Response Team
References:
[1] http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt
J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf
ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe
itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI
6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa
p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+
ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR
pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1
Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo
W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO
hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL
7iN004jxhnUxQc8Fgwj4
=/B5h
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists