[Japanese]

JVNDB-2008-000069

Apache Tomcat allows access from a non-permitted IP address

Overview

Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access.

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context.

This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.

Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA.
JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Apache Software Foundation
  • Apache Tomcat 4.1.0 to 4.1.31
  • Apache Tomcat 5.5.0
NEC Corporation
  • WebOTX Application Server
FUJITSU
  • Interstage Application Framework Suite
  • Interstage Application Server
  • Interstage Apworks
  • Interstage Business Application Server
  • Interstage Job Workload Server
  • Interstage Studio
  • Interstage Web Server

Impact

Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result.
Solution

[Update the Software]
Apply the latest updates provided by the developer.
The following versions contain a fix of this vulnerability.

Apache Tomcat 4.1.32 and later
Apache Tomcat 5.5.1 and later
For more information, refer to the developer's website.
Vendor Information

Apache Software Foundation NEC Corporation
  • NEC Security Information : NV09-006 (Japanese)
FUJITSU
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-3271
References

  1. JVN : JVN#30732239
  2. National Vulnerability Database (NVD) : CVE-2008-3271
  3. Secunia Advisory : SA32234
  4. Secunia Advisory : SA32213
  5. SecurityFocus : 31698
  6. FrSIRT Advisories : FrSIRT/ADV-2008-2793
Revision History

  • [2008/10/10]
      Web page published
    [2009/07/08]
      Affected Products : Added NEC Corporation (NV09-006).
      Vendor Information : Added NEC Corporation (NV09-006).

Date Public2008/10/10
Date First Published2008/10/10
Date Last Updated2009/07/08