Home > Apache Tomcat > Apache Tomcat 5.5.26 Error Report

Apache Tomcat 5.5.26 Error Report

Contents

Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20 Low: Information disclosure CVE-2008-4308 Bug 40771 may result in the disclosure of POSTed content from a previous request. Since the relationship between the client side resources and server side resources is a linear one, this issue is not something that the Tomcat Security Team views as a vulnerability. Affects: 5.0.0-5.0.30, 5.5.0-5.5.23 released 9 Mar 2007 Fixed in Apache Tomcat 5.5.23, 5.0.SVN Important: Information disclosure CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. This was identified by the Tomcat security team on 12 Nov 2010 and made public on 5 Feb 2011. http://lanprolab.net/apache-tomcat/apache-tomcat-6-0-18-error-report.php

All of these mechanisms could be exploited to bypass a security manager. Make sure the default servlet is configured not to serve index pages when a welcome file is not present. Further details on logging configuration can be found in the tomcat logging documentation. This was fixed in revision 1022560.

Apache Tomcat/5.5.35 Exploit

Patch provided by Jesus Marin. (markt, rjung) 46990: Fix synchronization issues in cluster membership reported by FindBugs. The Javadoc generation for releases was fixed in revision 1557724. This was fixed in revision 1417891. Provide the ability to edit the roles for the added user.

In some circumstances disabling renegotiation may result in some clients being unable to access the application. This was identified by Polina Genova on 14 June 2011 and made public on 27 June 2011. Original patch provided by Ray Sauers with improvements by Ian Ward Comfort. (markt) 44673: Throw IOE if ServletInputStream is closed and a call is made to any read(), ready(), mark(), reset(), Apache Tomcat/5.5.35 Exploit Db Add support for maxPort attribute on a Connector element as a synonym for channelSocket.maxPort. (kkolinko) Jasper 49935: Handle compilation of recursive tag files. (markt) Cluster Improve sending an access message in

add %{Set-Cookie}o to your pattern). (pero) Jasper 2500: FileNotFoundException within a JSP pages resulted in a 404 rather than a 500. (markt) 37326: No error reported when an included page does Based on a patch provided by Chris Halstead. (markt) 40929: Correct JavaDoc for StandardCalssLoader. (markt) 41008: Allow POST to be used for indexed queries with CGI Servlet. Affects: 6.0.0-6.0.39 Low: Information Disclosure CVE-2014-0119 In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default https://tomcat.apache.org/tomcat-5.5-doc/changelog.html mysql/postgresql user) make sure the Tomcat configuration files are only accessible to the tomcat user Acknowledgements The author would like to thank Kris Easter, Michel Prunet and Stephen More for their

Thank you. 11 February 2016 Fixed in Apache Tomcat 6.0.45 Low: Limited directory traversal CVE-2015-5174 This issue only affects users running untrusted web applications under a security manager. Apache Tomcat Multiple Content Length Headers Information Disclosure Vulnerability ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: http://0.0.0.1/ Connection to 0.0.0.1 failed. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This was first reported to the Tomcat security team on 2 Mar 2009 and made public on 4 Jun 2009.

  • via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt/kkolinko) Coyote 47913: Return the IP address rather than null for getRemoteHost() with the
  • Affects: 6.0.0-6.0.20 Low: Insecure default password CVE-2009-3548 The Windows installer defaults to a blank password for the administrative user.
  • Affects: 6.0.0 to 6.0.44 Moderate: Security Manager bypass CVE-2016-0714 This issue only affects users running untrusted web applications under a security manager.
  • It should also be noted that setting useBodyEncodingForURI="true" has the same effect as setting URIEncoding="UTF-8" when processing requests with bodies encoded with UTF-8.
  • This was discovered by the Tomcat security team on 12 Oct 2010 and made public on 5 Feb 2011.
  • This also makes sure (among other things), that a webapplication isn't able to read/write/execute any file on the local filesystem without enabling it in the catalina.policy file.

Apache Tomcat Security Vulnerabilities

When generating the response for getLocale() and getLocales(), Tomcat now ignores values for Accept-Language headers that do not conform to RFC 2616. Therefore, although users must download 6.0.20 to obtain a version that includes fixes for these issues, 6.0.19 is not included in the list of affected versions. Apache Tomcat/5.5.35 Exploit However, due to regressions such as Bug 58765 the default for mapperContextRootRedirectEnabled was later changed to true since it was viewed that the regression was more serious than the security risk Apache Tomcat Input Validation Security Bypass Vulnerability Further vulnerabilities in the 5.0.x and 5.5.x branches will not be fixed.

This feature is needed to have stable remote access when a firewall is active. this page add x-O(Set-Cookie) to your pattern). (pero) Support logging of current thread name at AccessLogValve (ex. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom In limited circumstances these bugs may allow a rogue web application to view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance. Apache Tomcat 5.5.23 Free Download

Hoerner Sr. (yoavs) 40326: stop using File#deleteOnExit in DefaultServlet to avoid JVM memory leak, as suggested by quartz. (yoavs) 40192: update setup.html notes regarding Windows tray icon. (yoavs) 40177: add more Be aware of which branch you have deployed, and track new releases within that branch. Add DetailPrint statements for operations that may take time. get redirected here Remove CATALINA_HOME/conf/Catalina/localhost/host-manager.xml and CATALINA_HOME/conf/Catalina/localhost/manager.xml (again, if you are keeping the manager application, do not remove this).

In some circumstances this lead to the leaking of information such as session ID to an attacker. Tomcat 5.5 Download This is disabled by default. Hence, only versions 6.0.21 onwards are listed as vulnerable.

Affects: 5.5.0-5.5.28 This was first reported to the Tomcat security team on 26 Oct 2009 and made public on 9 Nov 2009.

Patch provided by sebb. (kkolinko) 50413: Ensure 304s are not returned when using static files as error pages. (markt/kkolinko) Avoid unnecessary cast in StandardContext. (markt) 50460: Avoid a possible memory leak First, is the WAR actually deployed in "VMS_Offer_Generator"? If you need help on building or configuring Tomcat or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Tomcat Apache Tomcat 5.5 20 Vulnerabilities posted 2 years ago OK, I'll skip the traditional speech about user-defined logins being security disasters.

This was fixed in revision 1603628. This was fixed in revision 902650. These objects are not recycled at exactly the same time. useful reference Fortunately, this is simple to accomplish.

Reject chunks whose header is incorrect. (kkolinko) Webapps 52641: Remove mentioning of ldap.jar from docs. Based on a proposal by Andras Rozsa. (kkolinko/jim) 53531: Better checking and improved error messages for directory creation during automatic deployment. (schultz/kkolinko) Various improvements to the DIGEST authenticator including 52954, the This was fixed in revisions 1221282, 1224640 and 1228191. This directory traversal is limited to the docBase of the web application.

The BIO connector is vulnerable if the JSSE version used is vulnerable. This enabled a XSS attack. This was fixed in revision 1356208. However, due to a coding error, the read-only setting was not applied.

This was fixed in revision 892815. This was first reported to the Tomcat security team on 01 Feb 2011 and made public on 31 Jan 2011. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. This directory is used for a variety of temporary files such as the intermediate files generated when compiling JSPs to Servlets.

This was fixed in revision 1159346. This was fixed in revision 1057270. Affects: 5.5.0 (5.0.x unknown) Not a vulnerability in Tomcat Important: Remote Denial Of Service CVE-2010-4476 A JVM bug could cause Double conversion to hang JVM when accessing to a form based When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and

Affects: 5.0.0-5.0.30, 5.5.0-5.5.24 Low: Cross-site scripting CVE-2007-3386 The Host Manager Servlet did not filter user supplied data before display. It should be set to false (the default) to protect against this vulnerability. Note that it is recommended that the examples web application is not installed on a production system.