What version of Tomcat is JBOSS 4.2.2GA base on?
The reason for my question is because some Security Vulnerabilities have been
identified in Tomcat and we need to know if upgrading to a later version of
JBOSS will fix our problem. Here is a description of the vulnerabilities:
7.1 (U) Apache Tomcat 6.0.5 - 6.0.15 Information Disclosure Vulnerability:
Apache reports that if an exception occurs during the processing of parameters,
such as the client disconnecting, then it is possible the parameters submitted
for the request will be incorrectly processed as part of a subsequent request.
To exploit this vulnerability, an unauthenticated remote attacker would locate
a site hosting a vulnerable version of the Adobe Tomcat application, then wait
for an unsuspecting user to transmit data to the server. Once transmitted, the
attacker would cause the user/client to disconnect during the transmission and
initiate their own connection with the user's parameters as part of the
attackers request. The successful exploitation of this vulnerability could
allow a remote attacker access to sensitive information which could be used in
later attacks.
7.2 (U) Apache Tomcat Data Integrity Vulnerability: Apache reports several
versions of Tomcat (5.5.11 - 5.5.25 and 6.0.0 - 6.0.15) do not properly handle
an empty request to a SSL port using netcat when the native Apache Portable
Runtime (APR) connector is used. The successful exploitation of this
vulnerability could allow an unauthenticated remote attacker to trigger a
handling of "a duplicate copy of one of the recent requests".
7.3 (U) Apache Tomcat WebDAV Servlet Information Disclosure Vulnerability:
Apache reports an information disclosure vulnerability associated with the
WebDAV servlet in several Tomcat versions (4.0.0 - 4.0.6, 4.1.0, 5.0.0, 5.5.0 -
5.5.25, and 6.0.0 - 6.0.14). When the WebDAV servlet is configured for use with
a context and has been enabled for write, some WebDAV requests specify an
entity with a SYSTEM tag can result in the disclosure of information to the
client issuing the request. To exploit this vulnerability, an authenticated
remote attacker could gain access to a vulnerable webserver and could create a
maliciously crafted HTTP WebDAV Lock request for a file that the attacker has
permissions to access, as well as referencing another remote file. The WebDav
'Lock' function would process the attacker's request, making the remote file
available to them.
Note: An exploit code has been developed for this vulnerability which is
publically available.
7.4 (U) Apache Tomcat JULI Vulnerability: Apache reports that the default
catalina.policy in the JULI logging component in several Tomcat versions (5.5.9
- 5.5.25 and 6.0.0 - 6.0.15) does not restrict certain permissions for web
applications. To exploit this vulnerability, an unauthenticated local attacker
would construct a maliciously crafted Java web application which could contain
a malicious logging configuration which is designed to leverage this
vulnerability. The attacker would then gain local, interactive access to a
vulnerable webserver, and then install and execute the malicious application.
The application would write the log files, using the permissions of the user
running the server. The successful exploitation of this vulnerability could
allow an attacker to modify logging configuration options and overwrite
arbitrary files, as well as having access to sensitive information.
Note: JULI is enabled by default in Tomcat 6.0, and supports per classloader
configuration, in addition to the regular global java.util.logging
configuration.
7.5 (U) Apache Tomcat Session Hi-jacking Vulnerability: Apache reports that
several versions of Tomcat do not properly handle (1) double quote (")
characters, or (2) %5C (encoded backslash) sequences in a cookie value. To
exploit this vulnerability, an unauthenticated remote attacker would need to
locate a network-accessible instance of a server hosting a vulnerable
application (6.0.0 - 6.0.14, 5.5.0 - 5.5.25, and 4.1.0 - 4.1.36). A maliciously
crafted web page or URI would be created by the attacker, to include either or
both of this conditions, and distribute this webpage/URI to an unsuspecting
user. When the user views this webpage or follows this URI link, the user's
server would note be able to properly handle the cookie data, and the user's
information would be disclosed to the attacker which could enable the attacker
to ultimately hijack the user's session.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133296#4133296
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4133296
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
