Apache Tomcat POST Data 信息泄露漏洞

https://www.securityfocus.com/bid/33913
https://cxsecurity.com/issue/WLB-2009030075
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-617

ApacheTomcat是应用(java)服务器，它只是一个servlet(jsp也翻译成servlet)容器，可以认为是apache的扩展，但是可以独立于apache运行。ApacheTomcat4.1.32版本至4.1.34版本和5.5.10版本至5.5.20版本的doRead程序在某一错误情况发生时，没有返回一个-1来指示，这会引起Tomcat从一个请求向一个不同的请求发送POST内容。

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-4308: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.32 to 4.1.34
Tomcat 5.5.10 to 5.5.20
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Note: Although this vulnerability affects relatively old versions of
Apache Tomcat, it was only discovered and reported to the Apache Tomcat
Security team in October 2008. Publication of this issue was then
postponed until now at the request of the reporter.

Description:
Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
result in the disclosure of POSTed content from a previous request. For
a vulnerability to exist the content read from the input stream must be
disclosed, eg via writing it to the response and committing the
response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.

Mitigation:
Upgrade to:
4.1.35 or later
5.5.21 or later
6.0.0 or later

Example:
See original bug report for example of how to create the error condition.

Credit:
This issue was discovered by Fujitsu and reported to the Tomcat Security
Team via JPCERT.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM
U3IdbfYNVtRIzCW5XTvhv2E=
=rJGg
-----END PGP SIGNATURE-----

Fujitsu INTERSTAGE Studio Standard-J Edition 9.0 Fujitsu INTERSTAGE Studio Enterprise Edition 9.0 Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0 A Fujitsu INTERSTAGE Application Server Stand

来源:VUPEN
名称:ADV-2009-0541
链接:http://www.vupen.com/english/advisories/2009/0541
来源:MISC
链接:https://issues.apache.org/bugzilla/show_bug.cgi?id=40771
来源:BID
名称:33913
链接:http://www.securityfocus.com/bid/33913
来源:BUGTRAQ
名称:20090225[SECURITY]CVE-2008-4308:Tomcatinformationdisclosurevulnerability
链接:http://www.securityfocus.com/archive/1/501250
来源:SECUNIA
名称:34057
链接:http://secunia.com/advisories/34057
来源:JVNDB
名称:JVNDB-2009-000010
链接:http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000010.html
来源:JVN
名称:JVN#66905322
链接:http://jvn.jp/en/jp/JVN66905322/index.html