The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.
Public now via: http://tomcat.apache.org/security-6.html
Also affects older Tomcat versions: http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html
Patch available here: http://svn.apache.org/viewvc?rev=680947&view=rev
tomcat6-6.0.18-1.1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/tomcat6-6.0.18-1.1.fc9
tomcat6-6.0.18-1.1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
tomcat5-5.5.27-0jpp.1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.1.fc8
tomcat5-5.5.27-0jpp.2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc9
tomcat5-5.5.27-0jpp.2.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc8
tomcat5-5.5.27-0jpp.2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
tomcat5-5.5.27-0jpp.2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html