488040 – (CVE-2008-4308) CVE-2008-4308 tomcat information disclosure vulnerability

Bug 488040 (CVE-2008-4308) - CVE-2008-4308 tomcat information disclosure vulnerability

Summary: CVE-2008-4308 tomcat information disclosure vulnerability

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2008-4308
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	488236 488237
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-02 10:22 UTC by Marc Schoenefeld
Modified:	2019-09-29 12:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-24 02:51:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marc Schoenefeld 2009-03-02 10:22:12 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-4308: Tomcat information disclosure vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.32 to 4.1.34
Tomcat 5.5.10 to 5.5.20
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Note: Although this vulnerability affects relatively old versions of
Apache Tomcat, it was only discovered and reported to the Apache Tomcat
Security team in October 2008. Publication of this issue was then
postponed until now at the request of the reporter.

Description:
Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
result in the disclosure of POSTed content from a previous request. For
a vulnerability to exist the content read from the input stream must be
disclosed, eg via writing it to the response and committing the
response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.

Mitigation:
Upgrade to:
4.1.35 or later
5.5.21 or later
6.0.0 or later

Example:
See original bug report for example of how to create the error condition.

Credit:
This issue was discovered by Fujitsu and reported to the Tomcat Security
Team via JPCERT.

References:
http://tomcat.apache.org/security.html

Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM
U3IdbfYNVtRIzCW5XTvhv2E=
=rJGg
-----END PGP SIGNATURE-----

Comment 1 Marc Schoenefeld 2009-03-03 09:31:31 UTC

The patch: 

http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/filters/SavedRequestInputFilter.java?r1=423920&r2=465126&view=patch

Comment 4 Tomas Hoger 2010-05-11 10:46:10 UTC

Upstream commit:
  http://svn.apache.org/viewvc?view=revision&revision=465127

Comment 5 David Jorm 2011-06-24 02:51:17 UTC

Statement:
Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as
shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3, Red Hat
Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions
and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache
Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web
Server 1.0. It also did not affect the versions of jbossweb as shipped with
JBoss Enterprise Application Platform 4.3.0 and earlier versions.

Note You need to log in before you can comment on or make changes to this bug.