Tomcat vulnerable in request processing


Apache Tomcat, an implementation of the Java Servlet and JavaServer Pages technologies, contains a vulnerability in processing specific requests.

To avoid this vulnerability, use the connectors other than AJP 1.3 Connector when connecting Apache Tomcat to a web server. Apache Tomcat supports Coyote JK Connector and Coyote HTTP/1.1 Connector.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Apache Software Foundation
  • Apache Tomcat 4.1.31 and earlier connected to a web server using the AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector)
Apple Inc.
  • Apple Mac OS X v10.4.11
  • Apple Mac OS X Server v10.4.11
Sun Microsystems, Inc.
  • Sun Solaris 10 (sparc)
  • Sun Solaris 10 (x86)
  • Sun Solaris 9 (sparc)
  • Sun Solaris 9 (x86)
  • Asianux Server 2.0
  • Asianux Server 2.1
NEC Corporation
  • WebOTX Application Server Ver.4.2
  • WebOTX Application Server Ver.5.1 - 5.3
  • WebSAM SystemManager R2.x
  • Spectral Wave Manager Series for MG siries
  • Spectral Wave Manager Series U-Node Network Element Manager
  • Spectral Wave Manager Series HLS 2.4G NE-OpS
Hitachi, Ltd
  • Cosminexus Application Server Version5
  • Cosminexus Application Server Standard Version6
  • Cosminexus Application Server Enterprise Version6
  • Cosminexus Developer Version5
  • Cosminexus Developer Light Version6
  • Cosminexus Developer Standard Version6
  • Cosminexus Developer Professional Version6
  • Cosminexus Primary Server Base Version5
  • Cosminexus Primary Server Version6
  • Cosminexus Primary Server Base Version6
  • Embedded Cosminexus Server Version5
  • Embedded Cosminexus Server Base Version5
  • Campusmate/Portal
  • Internet Navigware Server
  • Interstage Application Framework Suite
  • Interstage Application Server
  • Interstage Business Application Server
  • Interstage Job Workload Server
  • Interstage List Manager


A remote attacker could execute an illegal request using other users' information or view other users' information.

The Apache Software Foundation currently does not support AJP 1.3 Connector, and recommends the use of Coyote JK Connector instead. It also recommends users to upgrade from Tomcat 4.x to Tomcat 5.x.

The Information-technology Promotion Agency, Japan (IPA) has created the patch for AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector) for Tomcat 4.1.31. The patch is available at the links in the References.
Vendor Information

Apache Software Foundation Apple Inc. Sun Microsystems, Inc.
  • Sun Alert Notification : 239312
  • NEC Security Information : NV05-028 (Japanese)
Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS05-019
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2005-3164

  1. JVN : JVN#79314822
  2. National Vulnerability Database (NVD) : CVE-2005-3164
  3. Secunia Advisory : SA17019
  4. SecurityFocus : 15003
Revision History

  • [2008/05/21]
      Web page published
      Affected Products : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
      Vendor Information : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
      Affected Products : Added Apple Inc. (Security Update 2008-004).
      Affected Products : Added Sun Microsystems, Inc. (239312).
      Vendor Information : Added Apple Inc. (Security Update 2008-004).
      Vendor Information : Added Sun Microsystems, Inc. (239312).
      Affected Products : Added FUJITSU (JVN#79314822).
      Vendor Information : Added FUJITSU (JVN#79314822).