Apache Tomcat jsp应用服务器程序头信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183133 漏洞类型 信息泄露
发布时间 2009-04-07 更新时间 2010-01-12
CVE编号 CVE-2008-5519 CNNVD-ID CNNVD-200904-187
漏洞平台 N/A CVSS评分 2.6
|漏洞来源
https://www.securityfocus.com/bid/34412
https://cxsecurity.com/issue/WLB-2009040168
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-187
|漏洞详情
Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 如果恶意客户端向Apache Tomcat服务器的mod_jk模块提交了Content-Length头为空的恶意请求,或在短时间内反复提交相同的请求的话,就可以查看其他用户请求相关的响应。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability announcement:
CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
mod_jk 1.2.0 to 1.2.26

Description:
Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly may permit
one user to view the response associated with a different user's request.

Mitigation:
Upgrade to mod_jk 1.2.27 or later

Example:
See description

Credit:
This issue was discovered by the Red Hat Security Response Team

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-jk.html

The Apache Tomcat Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ27rAb7IeiTPGAkMRAlsDAJ9qqKPiFnh+rxaxzMZmKIFA5Q5r5QCg2N84
OzL54gpA6e272kokWjK4wZU=
=GKVO
-----END PGP SIGNATURE-----
|受影响的产品
SuSE SUSE Linux Enterprise 11 SuSE Linux 9 SuSE Linux 11 SuSE Linux 10.0 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 10_x86 Sun Solaris
|参考资料

来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=490201
来源:VUPEN
名称:ADV-2009-0973
链接:http://www.vupen.com/english/advisories/2009/0973
来源:BID
名称:34412
链接:http://www.securityfocus.com/bid/34412
来源:BUGTRAQ
名称:20090407[SECURITY]CVE-2008-5519:ApacheTomcatmod_jkinformationdisclosurevulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/502530/100/0/threaded
来源:REDHAT
名称:RHSA-2009:0446
链接:http://www.redhat.com/support/errata/RHSA-2009-0446.html
来源:MLIST
名称:[oss-security]20090408CVE-2008-5519:mod_jksessioninformationleakvulnerability
链接:http://www.openwall.com/lists/oss-security/2009/04/08/10
来源:DEBIAN
名称:DSA-1810
链接:http://www.debian.org/security/2009/dsa-1810
来源:tomcat.apache.org
链接:http://tomcat.apache.org/security-jk.html
来源:tomcat.apache.org
链接:http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
来源:svn.eu.apache.org
链接:http://svn.eu.apache.org/viewvc?view=rev&revision=702540
来源:svn.eu.apache.org
链接:http://svn.eu.apache.org/viewvc/tomcat/c