[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50BE536F.6000705@apache.org>
Date: Tue, 04 Dec 2012 19:47:59 +0000
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>
CC: Tomcat Announce List <announce@...cat.apache.org>, announce@...che.org,
Tomcat Developers List <dev@...cat.apache.org>, bugtraq@...urityfocus.com,
full-disclosure@...ts.grok.org.uk
Subject: CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.31
- - Tomcat 6.0.0 to 6.0.35
Description:
The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.32 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later
Credit:
This issue was identified by The Tomcat security team
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBAgAGBQJQvlNvAAoJEBDAHFovYFnnY80QAMvP1gIpG00vfIdiFabpJX55
UEmkPuTSefxZ6NMvAL8GkuUe8CoC6KinCgOx+s8eGlEiHtWFoYvM/Ckg8E3a8SY6
MfD8GLo2av/LdULGSCBrbaL2wFbgixPTBpgR9YS4bdpTK5nVqBZyZOjOzptqRDnE
BQXDLLKa65/z7cF57l+XcLs1+JW3KJGRiGJzBNUrJK1x/AzfgRgk4jgvYdyDWdpI
zuXKgwBbunblPL4sZhZA2mhoswBIMIJIaHXOAD28Ddt9IIae0UFptY6LmExOkSsa
PtshA4EBlO8JTPPcfwtqA/bkHAWCzB1QshkYD57rLF3t1ouDQWI6j8l+q3AYIxzv
a0Ix4qzE2hekcjGSCUMZUqNgcaGSjsggaOEo5zauM01osPQxbfpH41eH5fIWlMKi
vrxRjYJwLyLdkj3bZFuP7Uq1GL4BLjeKDfqsL4aqcfdBPZea6C9rToEkB8EjD4vf
DVdrX4Ivg3ImMMnL+gkX4+5aLp+jpw23G9gZbX1DJn+648iv3yFoK5ysOWy1GAAO
x1Iq3pa49NigJ0ipjZvxc07THIoiK/t49/3fWzMR1Xm819oJC2/Qf512l/FpEltK
kQ0y8BC4+7ypUZyhtwE3jzLW1x2j4ZBK8l1nX0X92WepJ6piro/7o80qiyDMfqPC
hbmBu213eSXnV9kRHveI
=jich
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists