Author: markt Date: Wed Dec 9 16:29:54 2009 New Revision: 888860 URL: http://svn.apache.org/viewvc?rev=888860&view=rev Log: Add some info on CVE-2009-3555
Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=888860&r1=888859&r2=888860&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Wed Dec 9 16:29:54 2009 @@ -1104,6 +1104,39 @@ <td> <p> <blockquote> + + <p> +<strong>TLS SSL Man In The Middle</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"> + CVE-2009-3555</a> +</p> + + <p>A vulnerability exists in the TLS protocol that allows an attacker to + inject arbitrary requests into an TLS stream during renegotiation.</p> + + <p>The TLS implementation used by Tomcat varies with connector. The blocking + IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation + provided by the JVM. The APR/native connector uses OpenSSL.</p> + + <p>The BIO connector is vulnerable if the JSSE version used is vulnerable. + To workaround this until a fix is available in JSSE, a new connector + attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to + the BIO connector. It should be set to <code>false</code> (the default) + to protect against this vulnerability. The attribute will be available in + Tomcat 6.0.21 onwards.</p> + + <p>The NIO connector is not vulnerable as it does not support + renegotiation.</p> + + <p>The APR/native connector is vulnerable if the OpenSSL version used is + vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation + and protect against this vulernability.</p> + + <p>Users should be aware that the impact of disabling renegotiation will + vary with both application and client. In some circumstances disabling + renegotiation may result in some clients being unable to access the + application.</p> + <p> <strong>JavaMail information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754"> Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=888860&r1=888859&r2=888860&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Wed Dec 9 16:29:54 2009 @@ -842,7 +842,40 @@ <td> <p> <blockquote> - <p> + + <p> +<strong>TLS SSL Man In The Middle</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"> + CVE-2009-3555</a> +</p> + + <p>A vulnerability exists in the TLS protocol that allows an attacker to + inject arbitrary requests into an TLS stream during renegotiation.</p> + + <p>The TLS implementation used by Tomcat varies with connector. The blocking + IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation + provided by the JVM. The APR/native connector uses OpenSSL.</p> + + <p>The BIO connector is vulnerable if the JSSE version used is vulnerable. + To workaround this until a fix is available in JSSE, a new connector + attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to + the BIO connector. It should be set to <code>false</code> (the default) + to protect against this vulnerability. The attribute will be available in + Tomcat 6.0.21 onwards.</p> + + <p>The NIO connector is not vulnerable as it does not support + renegotiation.</p> + + <p>The APR/native connector is vulnerable if the OpenSSL version used is + vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation + and protect against this vulernability.</p> + + <p>Users should be aware that the impact of disabling renegotiation will + vary with both application and client. In some circumstances disabling + renegotiation may result in some clients being unable to access the + application.</p> + + <p> <strong>important: Directory traversal</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"> CVE-2008-2938</a> Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=888860&r1=888859&r2=888860&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Wed Dec 9 16:29:54 2009 @@ -504,6 +504,37 @@ </section> <section name="Not a vulnerability in Tomcat"> + + <p><strong>TLS SSL Man In The Middle</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"> + CVE-2009-3555</a></p> + + <p>A vulnerability exists in the TLS protocol that allows an attacker to + inject arbitrary requests into an TLS stream during renegotiation.</p> + + <p>The TLS implementation used by Tomcat varies with connector. The blocking + IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation + provided by the JVM. The APR/native connector uses OpenSSL.</p> + + <p>The BIO connector is vulnerable if the JSSE version used is vulnerable. + To workaround this until a fix is available in JSSE, a new connector + attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to + the BIO connector. It should be set to <code>false</code> (the default) + to protect against this vulnerability. The attribute will be available in + Tomcat 6.0.21 onwards.</p> + + <p>The NIO connector is not vulnerable as it does not support + renegotiation.</p> + + <p>The APR/native connector is vulnerable if the OpenSSL version used is + vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation + and protect against this vulernability.</p> + + <p>Users should be aware that the impact of disabling renegotiation will + vary with both application and client. In some circumstances disabling + renegotiation may result in some clients being unable to access the + application.</p> + <p><strong>JavaMail information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754"> CVE-2005-1754</a></p> Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=888860&r1=888859&r2=888860&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Wed Dec 9 16:29:54 2009 @@ -401,7 +401,38 @@ </section> <section name="Not a vulnerability in Tomcat"> - <p><strong>important: Directory traversal</strong> + + <p><strong>TLS SSL Man In The Middle</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"> + CVE-2009-3555</a></p> + + <p>A vulnerability exists in the TLS protocol that allows an attacker to + inject arbitrary requests into an TLS stream during renegotiation.</p> + + <p>The TLS implementation used by Tomcat varies with connector. The blocking + IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation + provided by the JVM. The APR/native connector uses OpenSSL.</p> + + <p>The BIO connector is vulnerable if the JSSE version used is vulnerable. + To workaround this until a fix is available in JSSE, a new connector + attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to + the BIO connector. It should be set to <code>false</code> (the default) + to protect against this vulnerability. The attribute will be available in + Tomcat 6.0.21 onwards.</p> + + <p>The NIO connector is not vulnerable as it does not support + renegotiation.</p> + + <p>The APR/native connector is vulnerable if the OpenSSL version used is + vulnerable. Building with OpenSSL 0.9.8l will disable all renegotiation + and protect against this vulernability.</p> + + <p>Users should be aware that the impact of disabling renegotiation will + vary with both application and client. In some circumstances disabling + renegotiation may result in some clients being unable to access the + application.</p> + + <p><strong>important: Directory traversal</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"> CVE-2008-2938</a></p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org