Bug 708969 (CVE-2011-1475)

Summary: CVE-2011-1475 tomcat: Information disclosure due improper handling of HTTP pipelining
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: djorm, dknox, jdennis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-31 07:58:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-05-30 09:50:50 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1475 to
the following vulnerability:

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly
handle HTTP pipelining, which allows remote attackers to read responses
intended for other clients in opportunistic circumstances by examining
the application data in HTTP packets, related to "a mix-up of responses
for requests from different users."

References:
[1]  http://www.securityfocus.com/archive/1/517363
[2]  http://seclists.org/fulldisclosure/2011/Apr/97
[3]  https://issues.apache.org/bugzilla/show_bug.cgi?id=50957
[4]  http://svn.apache.org/viewvc?view=revision&revision=1086349
[5]  http://svn.apache.org/viewvc?view=revision&revision=1086352
[6]  http://tomcat.apache.org/security-7.html
[7]  http://www.securityfocus.com/bid/47199
[8]  http://www.securitytracker.com/id?1025303
[9]  http://www.vupen.com/english/advisories/2011/0894
[10] http://xforce.iss.net/xforce/xfdb/66676
Comment 5 David Jorm 2011-05-31 07:51:38 UTC 
Statement CVE-2011-1475:

Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3, Red Hat Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web Server 1.0. It also did not affect the versions of jbossweb as shipped with JBoss Enterprise Application Platform 4.3.0 and earlier versions, as this flaw only affects Apache Tomcat 7.0.0 to 7.0.11.