SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat mod_jk May Disclose Responses to the Wrong User
SecurityTracker Alert ID:  1022001
SecurityTracker URL:  http://securitytracker.com/id/1022001
CVE Reference:   CVE-2008-5519   (Links to External Site)
Date:  Apr 7 2009
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): mod_jk 1.2.0 to 1.2.26
Description:   A vulnerability was reported in Apache Tomcat mod_jk. A remote user can obtain responses intended for different users.

A remote user can supply a quick series of requests with specially crafted Content-Length value but without any data to potentially view responses for a different user's request.

The Red Hat Security Response Team reported this vulnerability.

Impact:   A remote user can obtain responses intended for different users.
Solution:   The vendor has issued a fix (mod_jk 1.2.27).
Vendor URL:  tomcat.apache.org/security.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 23 2009 (Red Hat Issues Fix) Apache Tomcat mod_jk May Disclose Responses to the Wrong User   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Application Stack v2 for Red Hat Enterprise Linux 5.
Jun 26 2009 (Sun Issues Fix) Apache Tomcat mod_jk May Disclose Responses to the Wrong User
Sun has issued a fix for Solaris 9 and 10.
Dec 1 2009 (Red Hat Issues Fix for Red Hat Network Satellite Server) Apache Tomcat mod_jk May Disclose Responses to the Wrong User   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Network Satellite Server 5.1 and 5.2.



 Source Message Contents

Date:  Tue, 07 Apr 2009 21:42:40 +0100
Subject:  [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk information disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability announcement:
CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
mod_jk 1.2.0 to 1.2.26

Description:
Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly may permit
one user to view the response associated with a different user's request.

Mitigation:
Upgrade to mod_jk 1.2.27 or later

Example:
See description

Credit:
This issue was discovered by the Red Hat Security Response Team

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-jk.html

The Apache Tomcat Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ27rAb7IeiTPGAkMRAlsDAJ9qqKPiFnh+rxaxzMZmKIFA5Q5r5QCg2N84
OzL54gpA6e272kokWjK4wZU=
=GKVO
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC