Home > Apache Tomcat > Apache Tomcat 5.5.26 Error Report
Apache Tomcat 5.5.26 Error Report
You should subscribe to announcement lists for Tomcat, and any other software you deploy, to stay abreast of new versions released due to security issues. It did not consider the use of quotes or %5C within a cookie value. This was discovered by the Tomcat security team on 12 Oct 2010 and made public on 5 Feb 2011. This is a generic DoS problem and there is no magic solution. http://dis-lb.net/apache-tomcat/apache-tomcat-error-report-5-5-27.php
A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the By default the standard JDK logging is used (or a compatible extension called juli to be more precise), storing daily log files in CATALINA_HOME/logs. Added commons-io 1.4. (rjung) Catalina 46770: Don't send duplicate headers when using flushBuffer(). (rjung) 44021, 43013: Add support for # to signify multi-level contexts for directories and wars. 44494: Backport from Feature provided by George Lindholm and Juergen Herrman (pero) 41722: Make the role-link element optional (as required by the spec) when using a security-role-ref element. (markt) 42547: Fix NPE when a http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/apache-tomcat5526-error-report/9292d72d-535e-4e2f-8035-b43ba40f2c75
Apache Tomcat/5.5.35 Exploit
Copyright © 1999-2016, The Apache Software Foundation Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are trademarks of the Apache Software Foundation. This was first reported to the Tomcat security team on 15 May 2008 and made public on 28 May 2008. This includes the standard RemoteAddrValve and RemoteHostValve implementations.
A specially crafted request can be used to trigger a denial of service. In some circumstances disabling renegotiation may result in some clients being unable to access the application. This servlet could then provide the malicious web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. Apache Tomcat/5.5.35 Exploit Db If maxInactiveInterval is negative, an access message is not sending. (kfujino) 50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino) Webapps 50294: Add more information to documentation regarding format
Patch provided by Suzuki Yuichiro. (markt) Coyote 38332: Add backlog attribute to ChannelSocket as provided by Takayoshi Kimura. (pero) Backport packetSize feature from Tomcat 6.0.x at standard coyote AJP Jk handler. Apache Tomcat Security Vulnerabilities This was identified by Wilfried Weissmann on 20 July 2011 and made public on 12 August 2011. This defaults to 10000. https://tomcat.apache.org/tomcat-5.5-doc/changelog.html A malicious web application could trigger script execution by an administrative user when viewing the manager pages.
Patch by Suzuki Yuichiro (pero) 41747 Correct example ant script for deploy task. (markt) 41752 Correct error message on exception in MemoryRealm. (markt) 39875 Minor cleanup in RealmBase.init, as requested by Apache Tomcat Multiple Content Length Headers Information Disclosure Vulnerability These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. Patch by Ralf Hauser. (yoavs) 42119 Fix return value for request.getCharacterEncoding() when Content-Type headers contain parameters other than charset. The Apache Tomcat security team will continue to treat this as a single issue using the reference CVE-2011-1184.
- In CATALINA_HOME/conf/web.xml default org.apache.catalina.servlets.DefaultServlet debug 0 listings false 1 Remove version string from HTTP error messages by repacking
- See APR/native connector security page.
- This issue was identified by the Apache Tomcat security team on 29 October 2013 and made public on 25 February 2014.
- This was first reported to the Tomcat security team on 25 Feb 2009 and made public on 3 Jun 2009.
- This was fixed in revision 1585853.
- Patch provided by David Jencks. (markt) Tomcat 5.5.26 (fhanik)released 2008-02-05 General Use Eclipse JDT 3.3.1. (pero) Use new commons download location. (markt) Use commons-launcher 1.1. (markt) Use commons-digester 1.8. (markt) Use
- Affects: 5.5.9-5.5.26 Important: Information disclosure CVE-2008-2370 When using a RequestDispatcher the target path was normalised before the query string was removed.
- This was fixed in revision 1392248.
- Patch by Keiichi Fujino (pero) Tomcat 5.5.24 (fhanik)not released General Update to Commons DBCP src 1.2.2 (pero) Update to Commons Pool src 1.3 (pero) Catalina 33774 Retry JNDI authentiction on ServiceUnavailableException
- Patch provided by Kawasima Kazuh. (markt) 41990 Add some additional mime-type mappings. (markt) 41655 Fix message translations.
Apache Tomcat Security Vulnerabilities
Affects: 5.5.32-5.5.33 Important: Authentication bypass and information disclosure CVE-2011-3190 Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from https://tomcat.apache.org/security-6.html Although widely maligned, obscurity is a useful adjunct security measure on a one-off basis. Apache Tomcat/5.5.35 Exploit This feature is enabled by setting the Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true The feature is now implemented with synchronization which addresses the thread safety issues associated with the original bug report. (markt) 37439: Apache Tomcat Input Validation Security Bypass Vulnerability Thank you. 11 February 2016 Fixed in Apache Tomcat 6.0.45 Low: Limited directory traversal CVE-2015-5174 This issue only affects users running untrusted web applications under a security manager.
These applications now filter the data before use. have a peek at these guys tcnative 1.1.30 and later ship with patched versions of OpenSSL. These request attributes were not validated. Affects: 6.0.0-6.0.33 released 18 Aug 2011 Fixed in Apache Tomcat 6.0.33 Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184 Note: Mitre elected to break this issue down into multiple issues and Apache Tomcat 5.5.23 Free Download
Based on a patch by Tomasz Skutnik. (markt) Webapps 41498: Add the allRolesMode attribute to the Realm configuration page in the documentation web application. (markt) Configure Security Manager How-To to include Important: Remote Denial Of Service CVE-2010-4476 A JVM bug could cause Double conversion to hang JVM when accessing to a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() Depending on your requirements it may not be good enough to serve directly from Tomcat so you may like to consider; Use IIS / Apache running on port 80 and mod_jk check over here When asked to install TC-Native it was downloading some very old (1.1.4) version of it from the HEAnet site. (kkolinko) Update the native/APR library version bundled with Tomcat to 1.1.20. (kkolinko)
Align %2f handling between implementations. (kkolinko) 52225: Fix ClassCastException when adding an alias for an existing host via JMX. (kkolinko) Do not throw an IllegalArgumentException from a parseParameters() call when a Tomcat 5.5 Download Applications that use the raw header values directly should not assume that the headers conform to RFC 2616 and should filter the values appropriately. Affects: 5.5.0-5.5.27 Low: Information disclosure CVE-2009-0783 Bugs 29936 and 45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files.
Affects: 5.5.0-5.5.27 released 8 Sep 2008 Fixed in Apache Tomcat 5.5.27 Low: Cross-site scripting CVE-2008-1232 The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is
Choose an administrator username (NOT admin) and a secure password that complies with your organisations password policy. Security Reports Find help FAQ Mailing Lists Bug Database IRC Get Involved Overview SVN Repositories Buildbot Reviewboard Tools Media Twitter YouTube Blog Misc Who We Are Heritage Apache Home Resources Contact Fix that sessions after node restart better expire. Apache Tomcat 5.5 20 Vulnerabilities In limited circumstances these bugs may allow a rogue web application to view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance.
Affects: 5.5.0-5.5.32 Moderate: TLS SSL Man In The Middle CVE-2009-3555 A vulnerability exists in the TLS protocol that allows an attacker to inject arbitrary requests into an TLS stream during renegotiation. This allows options for starting and stopping to be set on JAVA_OPTS and options for starting only to be set on CATALINA_OPTS. Please try the request again. http://dis-lb.net/apache-tomcat/apache-tomcat-5-5-17-error-report.php This issue was identified by the Tomcat security team on 13 July 2012 and made public on 4 December 2012.
This vulnerability only occurs when all of the following are true: Tomcat is running on a Linux operating system jsvc was compiled with libcap -user parameter is used Affected Tomcat versions This allows an attacker to create arbitrary content outside of the web root by including entries such as ../../bin/catalina.sh in the WAR. objects are allocated to threads in the order that the threads request them. Affects: 6.0.0-6.0.32 Low: Information disclosure CVE-2011-2526 Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors.
Installation of Apache Tomcat UNIX Create a tomcat user/group Download and unpack the core distribution (referenced as CATALINA_HOME from now on) Change CATALINA_HOME ownership to tomcat user and tomcat group Change Affects: 6.0.0-6.0.18 Low: Information disclosure CVE-2009-0580 Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded Binary versions of tcnative 1.1.24 - 1.1.29 include this vulnerable version of OpenSSL. Patch provided by Charles R Caldarale. (markt) 29936: Don't use parser from a webapp to parse web.xml and possibly context.xml files. (markt) 43079: Correct pattern verification for suspicious URLs.
Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom