[prev in list] [next in list] [prev in thread] [next in thread] 

List:       jboss-user
Subject:    [jboss-user] [Tomcat, HTTPD,
From:       nakamuram <do-not-reply () jboss ! com>
Date:       2008-02-29 16:59:52
Message-ID: 26968647.1204304392528.JavaMail.jboss () colo-br-02 ! atl ! jboss ! com
[Download RAW message or body]

What version of Tomcat is JBOSS 4.2.2GA base on?  

The reason for my question is because some Security Vulnerabilities have been \
identified in Tomcat and we need to know if upgrading to a later version of JBOSS \
will fix our problem.  Here is a description of the vulnerabilities:

7.1 (U) Apache Tomcat 6.0.5 - 6.0.15 Information Disclosure Vulnerability: Apache \
reports that if an exception occurs during the processing of parameters, such as the \
client disconnecting, then it is possible the parameters submitted for the request \
will be incorrectly processed as part of a subsequent request. To exploit this \
vulnerability, an unauthenticated remote attacker would locate a site hosting a \
vulnerable version of the Adobe Tomcat application, then wait for an unsuspecting \
user to transmit data to the server. Once transmitted, the attacker would cause the \
user/client to disconnect during the transmission and initiate their own connection \
with the user's parameters as part of the attackers request. The successful \
exploitation of this vulnerability could allow a remote attacker access to sensitive \
information which could be used in later attacks. 

7.2 (U) Apache Tomcat Data Integrity Vulnerability: Apache reports several versions \
of Tomcat (5.5.11 - 5.5.25 and 6.0.0 - 6.0.15) do not properly handle an empty \
request to a SSL port using netcat when the native Apache Portable Runtime (APR) \
connector is used. The successful exploitation of this vulnerability could allow an \
unauthenticated remote attacker to trigger a handling of "a duplicate copy of one of \
the recent requests".

7.3 (U) Apache Tomcat WebDAV Servlet Information Disclosure Vulnerability: Apache \
reports an information disclosure vulnerability associated with the WebDAV servlet in \
several Tomcat versions (4.0.0 - 4.0.6, 4.1.0, 5.0.0, 5.5.0 - 5.5.25, and 6.0.0 - \
6.0.14). When the WebDAV servlet is configured for use with a context and has been \
enabled for write, some WebDAV requests specify an entity with a SYSTEM tag can \
result in the disclosure of information to the client issuing the request. To exploit \
this vulnerability, an authenticated remote attacker could gain access to a \
vulnerable webserver and could create a maliciously crafted HTTP WebDAV Lock request \
for a file that the attacker has permissions to access, as well as referencing \
another remote file. The WebDav 'Lock' function would process the attacker's request, \
making the remote file available to them. 

Note: An exploit code has been developed for this vulnerability which is publically \
available.

7.4 (U) Apache Tomcat JULI Vulnerability: Apache reports that the default \
catalina.policy in the JULI logging component in several Tomcat versions (5.5.9 - \
5.5.25 and 6.0.0 - 6.0.15) does not restrict certain permissions for web \
applications. To exploit this vulnerability, an unauthenticated local attacker would \
construct a maliciously crafted Java web application which could contain a malicious \
logging configuration which is designed to leverage this vulnerability. The attacker \
would then gain local, interactive access to a vulnerable webserver, and then install \
and execute the malicious application. The application would write the log files, \
using the permissions of the user running the server. The successful exploitation of \
this vulnerability could allow an attacker to modify logging configuration options \
and overwrite arbitrary files, as well as having access to sensitive information.

Note: JULI is enabled by default in Tomcat 6.0, and supports per classloader \
configuration, in addition to the regular global java.util.logging configuration.

7.5 (U) Apache Tomcat Session Hi-jacking Vulnerability: Apache reports that several \
versions of Tomcat do not properly handle (1) double quote (") characters, or (2) %5C \
(encoded backslash) sequences in a cookie value. To exploit this vulnerability, an \
unauthenticated remote attacker would need to locate a network-accessible instance of \
a server hosting a vulnerable application (6.0.0 - 6.0.14, 5.5.0 - 5.5.25, and 4.1.0 \
- 4.1.36). A maliciously crafted web page or URI would be created by the attacker, to \
include either or both of this conditions, and distribute this webpage/URI to an \
unsuspecting user. When the user views this webpage or follows this URI link, the \
user's server would note be able to properly handle the cookie data, and the user's \
information would be disclosed to the attacker which could enable the attacker to \
ultimately hijack the user's session.


View the original post : \
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133296#4133296

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4133296
 _______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user


[prev in list] [next in list] [prev in thread] [next in thread]