Tomcat Bug Lets Web Applications Access the Files of Other Web Applications
|
|
SecurityTracker Alert ID: 1022336 |
|
SecurityTracker URL: http://securitytracker.com/id/1022336
|
|
CVE Reference:
CVE-2009-0783
(Links to External Site)
|
Date: Jun 4 2009
|
Impact:
Disclosure of user information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.1.0 to 4.1.39, 5.5.0 to 5.5.27, 6.0.0 to 6.0.18
|
Description:
A vulnerability was reported in Tomcat. A remote authenticated user can access other web applications on the target system.
A remote authenticated user that can deploy a web application that is the first web application loaded can view or modify web.xml, context.xml, and tld files of other web applications deployed on the target server.
Philippe Prados reported this vulnerability.
|
Impact:
A remote authenticated user with privileges to deploy a web application can access other web applications on the target system.
|
Solution:
The vendor has issued a fix (6.0.20). The fix will be included in future versions 4.1.40 and 5.5.28.
|
Vendor URL: tomcat.apache.org/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 04 Jun 2009 13:52:49 +0100
Subject: [SECURITY] CVE-2009-0783 Apache Tomcat Information disclosure
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2009-0783: Apache Tomcat information disclosure vulnerability
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 6.0.0 to 6.0.18
Tomcat 5.5.0 to 5.5.27
Tomcat 4.1.0 to 4.1.39
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.
Description:
Bugs https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 allowed a web
application to replace the XML parser used by Tomcat to process web.xml,
context.xml and tld files. If a web application is the first web
application loaded, these bugs allow that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.
Mitigation:
6.0.x users should do one of the following:
- upgrade to 6.0.20
- apply these patches
- http://svn.apache.org/viewvc?rev=739522&view=rev
- http://svn.apache.org/viewvc?rev=652592&view=rev
5.5.x users should do one of the following:
- upgrade to 5.5.28 when released
- apply these patches
- http://svn.apache.org/viewvc?rev=781542&view=rev
- http://svn.apache.org/viewvc?rev=681156&view=rev
4.1.x users should do one of the following:
- upgrade to 4.1.40 when released
- apply this patch http://svn.apache.org/viewvc?rev=781708&view=rev
Example:
See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an
example web application that can be used to replace the XML parser used
by Tomcat.
Credit:
The security implications of these bugs was discovered and reported to
the Apache Software Foundation by Philippe Prados.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-4.html
The Apache Tomcat Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkonw6EACgkQb7IeiTPGAkM8qACgyxH+hBK4r4DprZhIqd97x/V1
/7EAnRMaJsKIoPzBQgOtOhM3vOCtyL+F
=B+Gu
-----END PGP SIGNATURE-----
|
|
