Apache Tomcat information disclosure vulnerability


Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability.

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may allow information disclosure or access to the contents contained in the WEB-INF directory.

According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
For more information, refer to the developer's website.

Minehiko Iida and Yuichiro Suzuki of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products

Apache Software Foundation
  • Apache Tomcat 4.1.0 to 4.1.39
  • Apache Tomcat 5.5.0 to 5.5.27
  • Apache Tomcat 6.0.0 to 6.0.18
  • VMware ESX 4.0
  • VMware ESX 3.5
  • VMware ESX 3.0.3
  • VMware Server 2.x
  • VMware vCenter 4.0
  • VMware VirtualCenter 2.5
  • VMware VirtualCenter 2.0.2
Apple Inc.
  • Apple Mac OS X Server v10.5.8
  • Apple Mac OS X Server v10.6 through v10.6.2
Sun Microsystems, Inc.
  • OpenSolaris (SPARC)
  • OpenSolaris (x86)
  • Sun Solaris 10 (SPARC)
  • Sun Solaris 10 (x86)
  • Sun Solaris 9 (SPARC)
  • Sun Solaris 9 (x86)
Hewlett-Packard Development Company, L.P
  • HP-UX Tomcat-based Servlet Engine before
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
  • Asianux Server 3 for x86
  • Asianux Server 3 for x86-64
Red Hat, Inc.
  • Red Hat Enterprise Linux (v.5 server)
  • Red Hat Enterprise Linux Desktop (v.5 client)
  • Red Hat Enterprise Linux EUS (v. 5.3.z server)
  • RHEL Desktop Workstation (v.5 client)
NEC Corporation
  • InfoFrame DocumentSkipper
  • MCOne
  • Interstage Application Framework Suite
  • Interstage Application Server
  • Interstage Apworks
  • Interstage Business Application Server
  • Interstage Job Workload Server
  • Interstage Studio
  • Interstage Web Server


A remote attacker could possibly obtain information such as configuration or user credentials contained in the application which resides under the WEB-INF directory.

[Update the Software]
For Apache Tomcat 6.0.x:
Update to Apache Tomcat 6.0.20 according to the information provided by the developer.

For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving the vulnerability. Users of Apache Tomcat 5.5.x and 4.1.x should obtain the latest source code from svn, or update to Apache Tomcat 5.5.28 and 4.1.40 once they are released.

For more information, refer to the developer's website.
Vendor Information

Apache Software Foundation VMware Apple Inc.
  • Apple Security Updates : HT4077
Oracle Corporation Sun Microsystems, Inc.
  • Sun Alert Notification : 263529
Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV09-008 (Japanese)
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-5515

  1. JVN : JVN#63832775
  2. National Vulnerability Database (NVD) : CVE-2008-5515
  3. SecurityFocus : 35263
  4. VUPEN Security : VUPEN/ADV-2009-1520
Revision History

  Web page published
  Affected Products : Added Sun Microsystems, Inc. (263529).
  Affected Products : Added Red Hat, Inc. (RHSA-2009:1164).
  Affected Products : Added NEC Corporation (NV09-008).
  Vendor Information : Added Sun Microsystems, Inc. (263529).
  Vendor Information : Added Red Hat, Inc. (RHSA-2009:1164).
  Vendor Information : Added NEC Corporation (NV09-008).
  Affected Products : Added MIRACLE LINUX CORPORATION  (tomcat5-5.5.23-0jpp.7.2.1AXS3).
  Affected Products : Added MIRACLE LINUX CORPORATION  (1794).
  Vendor Information : Added MIRACLE LINUX CORPORATION  (tomcat5-5.5.23-0jpp.7.2.1AXS3).
  Vendor Information : Added MIRACLE LINUX CORPORATION  (1794).
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02466).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02466).
  Affected Products : Added VMware (VMSA-2009-0016).
  Vendor Information : Added VMware (VMSA-2009-0016).
  Affected Products : Added NEC Corporation (NV09-008).
  Affected Products : Added Apple Inc. (HT4077).
  Affected Products : Added NEC Corporation (NV09-008).
  Vendor Information : Added Apple Inc. (HT4077).
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPUXWSATW313).
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02579).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPUXWSATW313).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02579).
  Vendor Information : Added Oracle Corporation (Multiple vulnerabilities in Oracle Java Web Console).