Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apache Tomcat < 4.1.40 / 5.5.28 / 6.0.20 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The version of Apache Tomcat installed on the remote host is affected by a multiple vulnerabilities :

- A username enumeration vulnerability exists when FORM based authentication with either the MemoryRealm, DataSourceRealm, or JDBCRealm is used. (CVE-2009-0580)

- A denial of service exists if Tomcat receives a request with invalid headers via the Java AJP connector. (CVE-2009-0033)

- A remote information-disclosure vulnerability exists in the 'RequestDispatcher' can be exploited to gain access to content in the 'WEB-INF' directory. (CVE-2008-5515)

- It is possible for a web application to replace the XML parser used by Tomcat to process 'web.xml', 'context.xml', and 'tld' files.

Solution

Upgrade to Apache Tomcat 4.1.40 / 5.5.28 / 6.0.20