SynopsisThe remote web server is affected by multiple vulnerabilities.
DescriptionThe version of Apache Tomcat installed on the remote host is affected by a multiple vulnerabilities :
- A username enumeration vulnerability exists when FORM based authentication with either the MemoryRealm, DataSourceRealm, or JDBCRealm is used. (CVE-2009-0580)
- A denial of service exists if Tomcat receives a request with invalid headers via the Java AJP connector. (CVE-2009-0033)
- A remote information-disclosure vulnerability exists in the 'RequestDispatcher' can be exploited to gain access to content in the 'WEB-INF' directory. (CVE-2008-5515)
- It is possible for a web application to replace the XML parser used by Tomcat to process 'web.xml', 'context.xml', and 'tld' files.
SolutionUpgrade to Apache Tomcat 4.1.40 / 5.5.28 / 6.0.20