From the upstream advisory [1]: For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries. Upstream has released 7.0.22 and 6.0.35 to correct this flaw. Earlier versions of Tomcat (5.0.x and earlier) are not affected. This was fixed in Tomcat 6.0.x via r1185995 [2]. More information is in the upstream bug [3]. [1] http://seclists.org/fulldisclosure/2012/Jan/236 [2] http://svn.apache.org/viewvc?view=revision&revision=1185998 [3] https://issues.apache.org/bugzilla/show_bug.cgi?id=51872
RHEL 6/tomcat6 is not affected. It is 6.0.24, while this flaw only affects 6.0.30 to 6.0.33.
JBoss Web is not affected by this flaw.
Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 783721]
It appears that this does affect EWS 1.0.2 (tomcat 6.0.32). Are we making any kind of progress on this?
(In reply to comment #6) > It appears that this does affect EWS 1.0.2 (tomcat 6.0.32). Are we making any > kind of progress on this? EWS is affected by this flaw. We plan to ship a patch as part of an async erratum to EWS 1.0.2. The erratum is currently in the development and QE process. We do not have a firm target date for the release.
Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?
(In reply to comment #10) > Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)? An erratum for EWS 1.0.2 is in progress. It is currently awaiting QE.
This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html