[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4D9CA2C5.8070608@apache.org>
Date: Wed, 06 Apr 2011 18:28:37 +0100
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>
Cc: Tomcat Developers List <dev@...cat.apache.org>,
full-disclosure@...ts.grok.org.uk,
Tomcat Announce List <announce@...cat.apache.org>,
bugtraq@...urityfocus.com, announce@...che.org
Subject: [SECURITY] CVE-2011-1475 Apache Tomcat
information disclosure
CVE-2011-1475 Apache Tomcat information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.11
- Earlier versions are not affected
Description:
Changes introduced to the HTTP BIO connector to support Servlet 3.0
asynchronous requests did not fully account for HTTP pipelining. As a
result, when using HTTP pipelining a range of unexpected behaviours
occurred including the mixing up of responses between requests. While
the mix-up in responses was only observed between requests from the same
user, a mix-up of responses for requests from different users may also
be possible.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat 7.0.12 or later
- Switch to the NIO or APR/native HTTP connectors that do not exhibit
this issue
Credit:
This issue was identified by Brad Piles and reported via the public ASF
Bugzilla issue tracking system.
The Apache Tomcat security team requests that security vulnerability
reports are made privately to security@...cat.apache.org in the first
instance.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists