Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399227 (CVE-2011-3375) - <www-servers/tomcat-6.0.35 Request Object Recycle Security Bypass (CVE-2011-3375)
Summary: <www-servers/tomcat-6.0.35 Request Object Recycle Security Bypass (CVE-2011-3...
Status: RESOLVED FIXED
Alias: CVE-2011-3375
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/47554/
Whiteboard: B3 [glsa]
Keywords:
Depends on: 395933
Blocks:
  Show dependency tree
 
Reported: 2012-01-17 23:32 UTC by Michael Harrison
Modified: 2012-06-24 14:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-01-17 23:32:39 UTC
A security issue has been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the request object not being recycled before processing the next request when logging certain actions. This can lead to e.g. the remote IP address and HTTP headers being carried forward to the next request and certain policies being bypassed.

The security issue is reported in versions 6.0.30 through 6.0.33.

Solution
Update to version 6.0.35 or later.

Provided and/or discovered by
charlie in a bug report.

Original Advisory
https://issues.apache.org/bugzilla/show_bug.cgi?id=51872
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201201.mbox/%3C4F155CDC.8050804%40apache.org%3E
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-17 23:56:38 UTC
We need to get the unaffected versions stable before we can go to [glsa?] ;)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:04:34 UTC
CVE-2011-3375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3375):
  Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly
  perform certain caching and recycling operations involving request objects,
  which allows remote attackers to obtain unintended read access to IP address
  and HTTP header information in opportunistic circumstances by reading TCP
  data.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-03-13 21:59:11 UTC
Thanks, folks. GLSA Vote: yes.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-23 13:41:34 UTC
GLSA vote: yes.

Added to existing GLSA request.
Comment 5 Miroslav Šulc gentoo-dev 2012-03-25 20:27:33 UTC
no affected version in the tree anymore
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:13:16 UTC
This issue was resolved and addressed in
 GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).