Bug 612799 (CVE-2010-2227) - CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Transfer-Encoding' header
Summary: CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Tran...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-2227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 613004 613005 613944 613945 613946 613948 614422 614424 616750 616751 617501 632313 632314
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-09 04:17 UTC by Vincent Danen
Modified: 2020-06-18 03:10 UTC (History)
26 users (show)

Fixed In Version: tomcat5 5.5.30, tomcat6 6.0.28
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-16 18:36:10 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0580 0 normal SHIPPED_LIVE Important: tomcat5 security update 2010-08-02 20:00:06 UTC
Red Hat Product Errata RHSA-2010:0581 0 normal SHIPPED_LIVE Important: tomcat5 and tomcat6 security update 2010-08-02 20:39:04 UTC
Red Hat Product Errata RHSA-2010:0582 0 normal SHIPPED_LIVE Important: tomcat5 security update 2010-08-02 20:17:44 UTC
Red Hat Product Errata RHSA-2010:0583 0 normal SHIPPED_LIVE Important: tomcat5 security update 2010-08-02 20:17:39 UTC
Red Hat Product Errata RHSA-2010:0584 0 normal SHIPPED_LIVE Important: jbossweb security update 2010-08-02 20:18:02 UTC
Red Hat Product Errata RHSA-2010:0693 0 normal SHIPPED_LIVE Important: tomcat5 security update 2010-09-10 08:37:13 UTC

Description Vincent Danen 2010-07-09 04:17:46 UTC
A flaw in the handling of the 'Transfer-Encoding' header was found. A
remote attacker could trigger this flaw which would cause subsequent
requests to fail or information to leak between requests. This flaw is
mitigated if Tomcat is behind a proxy as the proxy should reject the
invalid transfer encoding header.

This was fixed in r958977:

http://svn.apache.org/viewvc?view=revision&revision=958977

Upstream 6.0.28 corrects this flaw as noted:

http://tomcat.apache.org/security-6.html

There is no upstream indication that this has been fixed in Tomcat5, however the patches mostly apply (a few rejects) with fuzz.

Comment 4 Vincent Danen 2010-07-09 15:47:38 UTC
Tomcat 5.5.30 is available to fix this flaw:

http://tomcat.apache.org/security-5.html

And the svn revision (patches) to correct it:

http://svn.apache.org/viewvc?view=revision&revision=959428

Comment 18 Jan Lieskovsky 2010-07-27 08:00:51 UTC
This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Enterprise Linux 5.

This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Application Server v2.

This flaw affects the versions of the tomcat5 and tomcat6 packages,
as shipped with JBoss Enterprise Web Server 1.0.1 for Red Hat
Enterprise Linux 4 and 5.

This flaw affects the version of the tomcat5 package, as shipped
with Red Hat Developer Suite 3.

Comment 21 errata-xmlrpc 2010-08-02 20:00:09 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0580 https://rhn.redhat.com/errata/RHSA-2010-0580.html

Comment 22 errata-xmlrpc 2010-08-02 20:17:47 UTC
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2010:0582 https://rhn.redhat.com/errata/RHSA-2010-0582.html

Comment 23 errata-xmlrpc 2010-08-02 20:17:58 UTC
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2010:0583 https://rhn.redhat.com/errata/RHSA-2010-0583.html

Comment 24 errata-xmlrpc 2010-08-02 20:18:05 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.2.0 for RHEL 5
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2010:0584 https://rhn.redhat.com/errata/RHSA-2010-0584.html

Comment 25 errata-xmlrpc 2010-08-02 20:39:07 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2010:0581 https://rhn.redhat.com/errata/RHSA-2010-0581.html

Comment 26 Vincent Danen 2010-09-09 16:51:23 UTC
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 632313]

Comment 27 Vincent Danen 2010-09-09 16:51:31 UTC
Created tomcat5 tracking bugs for this issue

Affects: fedora-all [bug 632314]

Comment 28 errata-xmlrpc 2010-09-10 08:37:20 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0693 https://rhn.redhat.com/errata/RHSA-2010-0693.html

Comment 29 David Jorm 2012-03-28 00:18:50 UTC
This issue has been addressed in an asynchronous patch to JBoss Enterprise Application Platform 5.0.1, available here (login required):

https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=3683&product=appplatform&version=5.0.1&downloadType=securityPatches

It is also fixed in all subsequent versions of JBoss Enterprise Application Platform 5.


Note You need to log in before you can comment on or make changes to this bug.