[Japanese]
|
JVNDB-2005-000804
|
Tomcat vulnerable in request processing
|
Apache Tomcat, an implementation of the Java Servlet and JavaServer Pages technologies, contains a vulnerability in processing specific requests.
To avoid this vulnerability, use the connectors other than AJP 1.3 Connector when connecting Apache Tomcat to a web server. Apache Tomcat supports Coyote JK Connector and Coyote HTTP/1.1 Connector.
|
CVSS V2 Severity: Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
Apache Software Foundation
- Apache Tomcat 4.1.31 and earlier connected to a web server using the AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector)
Apple Inc.
- Apple Mac OS X v10.4.11
- Apple Mac OS X Server v10.4.11
Sun Microsystems, Inc.
- Sun Solaris 10 (sparc)
- Sun Solaris 10 (x86)
- Sun Solaris 9 (sparc)
- Sun Solaris 9 (x86)
MIRACLE LINUX CORPORATION
- Asianux Server 2.0
- Asianux Server 2.1
NEC Corporation
- WebOTX Application Server Ver.4.2
- WebOTX Application Server Ver.5.1 - 5.3
- WebSAM SystemManager R2.x
- Spectral Wave Manager Series for MG siries
- Spectral Wave Manager Series U-Node Network Element Manager
- Spectral Wave Manager Series HLS 2.4G NE-OpS
Hitachi, Ltd
- Cosminexus Application Server Version5
- Cosminexus Application Server Standard Version6
- Cosminexus Application Server Enterprise Version6
- Cosminexus Developer Version5
- Cosminexus Developer Light Version6
- Cosminexus Developer Standard Version6
- Cosminexus Developer Professional Version6
- Cosminexus Primary Server Base Version5
- Cosminexus Primary Server Version6
- Cosminexus Primary Server Base Version6
- Embedded Cosminexus Server Version5
- Embedded Cosminexus Server Base Version5
FUJITSU
- Campusmate/Portal
- Internet Navigware Server
- Interstage Application Framework Suite
- Interstage Application Server
- Interstage Business Application Server
- Interstage Job Workload Server
- Interstage List Manager
|
|
A remote attacker could execute an illegal request using other users' information or view other users' information.
|
The Apache Software Foundation currently does not support AJP 1.3 Connector, and recommends the use of Coyote JK Connector instead. It also recommends users to upgrade from Tomcat 4.x to Tomcat 5.x.
The Information-technology Promotion Agency, Japan (IPA) has created the patch for AJP 1.3 Connector (org.apache.ajp.tomcat4.Ajp13Connector) for Tomcat 4.1.31. The patch is available at the links in the References.
|
Apache Software Foundation
Apple Inc.
Sun Microsystems, Inc.
- Sun Alert Notification : 239312
MIRACLE LINUX CORPORATION
NEC Corporation
- NEC Security Information : NV05-028 (Japanese)
Hitachi, Ltd
- Hitachi Software Vulnerability Information : HS05-019
FUJITSU
|
- Information Exposure(CWE-200) [NVD Evaluation]
|
- CVE-2005-3164
|
- JVN : JVN#79314822
- National Vulnerability Database (NVD) : CVE-2005-3164
- Secunia Advisory : SA17019
- SecurityFocus : 15003
|
- [2008/05/21]
Web page published
[2008/06/06]
Affected Products : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
Vendor Information : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
[2008/07/04]
Affected Products : Added Apple Inc. (Security Update 2008-004).
Affected Products : Added Sun Microsystems, Inc. (239312).
Vendor Information : Added Apple Inc. (Security Update 2008-004).
Vendor Information : Added Sun Microsystems, Inc. (239312).
[2008/07/07]
Affected Products : Added FUJITSU (JVN#79314822).
Vendor Information : Added FUJITSU (JVN#79314822).
|