Classification: UNCLASSIFIED Caveats: NONE
Team, Since Tomcat 5.5.34 has not been made available for the current Apache Tomcat Injection Vulnerability=20 (IAVA 2011-B-0114), is there a workaround for this problem until the patch is out. This software is being used on a Windows 2003 Server and the current problem is stated below: Executive Summary:=20 Apache Software Foundation has addressed a vulnerability affecting various versions of Apache Tomcat. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. To exploit this vulnerability, a remote attacker would create and send a malicious request to an affected system. If successfully exploited, this vulnerability would allow a remote attacker to bypass security restrictions and obtain access to sensitive information. Technical Overview: Apache Tomcat AJP Protocol Security Bypass and Information Disclosure Vulnerability - (CVE-2011-3190): Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have full control over the AJP message permitting authentication bypass and information disclosure.=20 Again, is there a workaround or a temporary mitigation process that anyone knows of that can be implemented until that patch is made available for download. Thanks Harold Barron Classification: UNCLASSIFIED=20 Caveats: NONE Classification: UNCLASSIFIED Caveats: NONE --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org