Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 399227 (CVE-2011-3375)

Summary: <www-servers/tomcat-6.0.35 Request Object Recycle Security Bypass (CVE-2011-3375)
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/47554/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 395933    
Bug Blocks:    

Description Michael Harrison 2012-01-17 23:32:39 UTC 
A security issue has been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the request object not being recycled before processing the next request when logging certain actions. This can lead to e.g. the remote IP address and HTTP headers being carried forward to the next request and certain policies being bypassed.

The security issue is reported in versions 6.0.30 through 6.0.33.

Solution
Update to version 6.0.35 or later.

Provided and/or discovered by
charlie in a bug report.

Original Advisory
https://issues.apache.org/bugzilla/show_bug.cgi?id=51872
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201201.mbox/%3C4F155CDC.8050804%40apache.org%3E
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-17 23:56:38 UTC 
We need to get the unaffected versions stable before we can go to [glsa?] ;)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:04:34 UTC 
CVE-2011-3375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3375):
  Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly
  perform certain caching and recycling operations involving request objects,
  which allows remote attackers to obtain unintended read access to IP address
  and HTTP header information in opportunistic circumstances by reading TCP
  data.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-03-13 21:59:11 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-23 13:41:34 UTC 
GLSA vote: yes.

Added to existing GLSA request.
Comment 5 Miroslav Ć ulc gentoo-dev 2012-03-25 20:27:33 UTC 
no affected version in the tree anymore
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:13:16 UTC 
This issue was resolved and addressed in
 GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).