Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1088 to the following vulnerability: ============================ Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. References: [1] http://www.securityfocus.com/archive/1/archive/1/517013/100/0/threaded [2] http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E [3] http://markmail.org/message/lzx5273wsgl5pob6 [4] http://markmail.org/message/yzmyn44f5aetmm2r [5] http://svn.apache.org/viewvc?view=revision&revision=1076586 [6] http://svn.apache.org/viewvc?view=revision&revision=1076587 [7] http://svn.apache.org/viewvc?view=revision&revision=1077995 [8] http://tomcat.apache.org/security-7.html [9] http://www.securityfocus.com/bid/46685 [10] http://www.osvdb.org/71027 [11] http://www.securitytracker.com/id?1025215 [12] http://secunia.com/advisories/43684 [13] http://www.vupen.com/english/advisories/2011/0563 [14] http://xforce.iss.net/xforce/xfdb/65971 The upstream fix for this issue has been recognized to introduce a regression: [15] http://mail-archives.apache.org/mod_mbox/www-announce/201104.mbox/%3C4D9CA2BC.3070608@apache.org%3E and CVE identifier of CVE-2011-1183 has been assigned to this: ============================================================== Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. References: [16] http://www.securityfocus.com/archive/1/archive/1/517362/100/0/threaded [17] http://seclists.org/fulldisclosure/2011/Apr/96 [18] http://svn.apache.org/viewvc?view=revision&revision=1087643 [19] http://tomcat.apache.org/security-7.html [20] http://www.securityfocus.com/bid/47196 [21] http://xforce.iss.net/xforce/xfdb/66675 Later an error in the fixes for CVE-2011-1088 and CVE-2011-1183 has been reported: [22] http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103@apache.org%3E which resulted in CVE-2011-1582 assignment: =========================================== Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. References: [23] http://www.securityfocus.com/archive/1/archive/1/518032/100/0/threaded [24] http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103@apache.org%3E [25] http://svn.apache.org/viewvc?view=revision&revision=1100832 [26] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29 [27] http://www.securityfocus.com/bid/47886 [28] http://www.vupen.com/english/advisories/2011/1255 [29] http://xforce.iss.net/xforce/xfdb/67515
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1419 to the following vulnerability: Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. References: [30] http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E [31] http://markmail.org/message/lzx5273wsgl5pob6 [32] http://markmail.org/message/yzmyn44f5aetmm2r [33] http://marc.info/?l=tomcat-user&m=129966773405409&w=2 [34] http://svn.apache.org/viewvc?view=revision&revision=1079752 [35] http://tomcat.apache.org/security-7.html [36] http://www.securityfocus.com/bid/46685 [37] http://www.osvdb.org/71027 [38] http://secunia.com/advisories/43684 [39] http://www.vupen.com/english/advisories/2011/0563 [40] http://xforce.iss.net/xforce/xfdb/65971
Statement CVE-2011-1088: Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3, Red Hat Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web Server 1.0. It also did not affect the versions of jbossweb as shipped with JBoss Enterprise Application Platform 4.3.0 and earlier versions, as this flaw only affects Apache Tomcat 7.0.0 to 7.0.10. Statement CVE-2011-1183: Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3, Red Hat Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web Server 1.0. It also did not affect the versions of jbossweb as shipped with JBoss Enterprise Application Platform 4.3.0 and earlier versions, as this flaw only affects Apache Tomcat 7.0.11. Statement CVE-2011-1582: Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3, Red Hat Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web Server 1.0. It also did not affect the versions of jbossweb as shipped with JBoss Enterprise Application Platform 4.3.0 and earlier versions, as this flaw only affects Apache Tomcat 7.0.12 & 7.0.13. Statement CVE-2011-1419: Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3, Red Hat Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web Server 1.0. It also did not affect the versions of jbossweb as shipped with JBoss Enterprise Application Platform 4.3.0 and earlier versions, as this flaw only affects Apache Tomcat 7.0.0 to 7.0.10.